diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2b3a94a..6fc558e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,9 +77,15 @@ jobs: - name: Test nessus_mapper run: | heimdall_tools nessus_mapper -x ./sample_jsons/nessus_mapper/sample_input_report/nessus_sample.nessus -o nessus.json - jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus_jq.json - jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus_sample_hdf.json > nessus_sample_hdf.json - diff nessus_sample_hdf.json nessus_jq.json + jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus-jq.json-ip-10-10-23-102.json + jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus.json-ip-10-10-23-102.json > nessus-sample-jq.json-ip-10-10-23-102.json + diff nessus-sample-jq.json-ip-10-10-23-102.json nessus-jq.json-ip-10-10-23-102.json + jq 'del(.version, .platform.release)' nessus.json-ip-10-10-24-231.json > nessus-jq.json-ip-10-10-24-231.json + jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus.json-ip-10-10-24-231.json > nessus-sample-jq.json-ip-10-10-24-231.json + diff nessus-sample-jq.json-ip-10-10-24-231.json nessus-jq.json-ip-10-10-24-231.json + jq 'del(.version, .platform.release)' nessus.json-ip-10-10-37-43.json > nessus-jq.json-ip-10-10-37-43.json + jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus.json-ip-10-10-37-43.json > nessus-sample-jq.json-ip-10-10-37-43.json + diff nessus-sample-jq.json-ip-10-10-37-43.json nessus-jq.json-ip-10-10-37-43.json - name: Test scoutsuite mapper run: | heimdall_tools scoutsuite_mapper -i ./sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js -o scoutsuite_output.json diff --git a/.rubocop.yml b/.rubocop.yml index 39f236c..05bec0e 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -10,6 +10,7 @@ AllCops: - 'test/**/*' - 'examples/plugins/train-*/test/**/*' - 'vendor/**/*' + - 'sample_jsons/**/*' Style/Documentation: Enabled: false Layout/ParameterAlignment: @@ -26,6 +27,8 @@ Style/NumericLiterals: MinDigits: 10 Metrics/ModuleLength: Enabled: false +Metrics/ClassLength: + Enabled: false Style/PercentLiteralDelimiters: PreferredDelimiters: '%': '{}' diff --git a/lib/heimdall_tools/nessus_mapper.rb b/lib/heimdall_tools/nessus_mapper.rb index a48e5a1..3a8d8f9 100644 --- a/lib/heimdall_tools/nessus_mapper.rb +++ b/lib/heimdall_tools/nessus_mapper.rb @@ -92,11 +92,17 @@ def format_desc(issue) def finding(issue, timestamp) finding = {} - # if compliance-result field, this is a policy compliance result entry - # nessus policy compliance result provides a pass/fail data - # For non policy compliance results are defaulted to failed if issue['compliance-result'] - finding['status'] = issue['compliance-result'].eql?('PASSED') ? 'passed' : 'failed' + case issue['compliance-result'] + when 'PASSED' + finding['status'] = 'passed' + when 'ERROR' + finding['status'] = 'error' + when 'WARNING' + finding['status'] = 'skipped' + else + finding['status'] = 'failed' + end else finding['status'] = 'failed' end diff --git a/sample_jsons/nessus_mapper/nessus.json-ip-10-10-23-102.json b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-23-102.json new file mode 100644 index 0000000..d40a0dd --- /dev/null +++ b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-23-102.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.48.12.g4ffa442.1.dirty.20210809.144659","target_id":"ip-10-10-23-102"},"version":"1.3.48.12.g4ffa442.1.dirty.20210809.144659","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"f4dbd73ab74f11d09b8adeab901f09c83176d5312a6b3c12b9d540ad84e7843d"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus.json-ip-10-10-24-231.json b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-24-231.json new file mode 100644 index 0000000..d1a7935 --- /dev/null +++ b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-24-231.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.48.12.g4ffa442.1.dirty.20210809.144135","target_id":"ip-10-10-24-231"},"version":"1.3.48.12.g4ffa442.1.dirty.20210809.144135","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"729cea9526b612da79f99e572ef1cb4395f81e47f33b4ddc183106a6013c6f8d"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus.json-ip-10-10-37-43.json b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-37-43.json new file mode 100644 index 0000000..fec7792 --- /dev/null +++ b/sample_jsons/nessus_mapper/nessus.json-ip-10-10-37-43.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.48.12.g4ffa442.1.dirty.20210809.144135","target_id":"ip-10-10-37-43"},"version":"1.3.48.12.g4ffa442.1.dirty.20210809.144135","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"skipped","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"a5291ae3adea5d48a6f6a2e4d59079b8d21db10002df8487ad59f9a138d4e716"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus_sample_hdf.json b/sample_jsons/nessus_mapper/nessus_sample_hdf.json deleted file mode 100644 index 102e843..0000000 --- a/sample_jsons/nessus_mapper/nessus_sample_hdf.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.46.6.gc067097.1.dirty.20210608.112327","target_id":"ip-10-10-23-102"},"version":"1.3.46.6.gc067097.1.dirty.20210608.112327","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"faaaa553b691261da0f75c19d699cd3582664dab74482773260ea2ec15a0157b"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-23-102.json b/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-23-102.json deleted file mode 100644 index dc9144d..0000000 --- a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-23-102.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.46.7.ga2183de.1.dirty.20210608.112533","target_id":"ip-10-10-23-102"},"version":"1.3.46.7.ga2183de.1.dirty.20210608.112533","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"faaaa553b691261da0f75c19d699cd3582664dab74482773260ea2ec15a0157b"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-24-231.json b/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-24-231.json deleted file mode 100644 index 6ff951b..0000000 --- a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-24-231.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.46.7.ga2183de.1.dirty.20210608.112533","target_id":"ip-10-10-24-231"},"version":"1.3.46.7.ga2183de.1.dirty.20210608.112533","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1119) \n /usr/lib/ipsec/charon (1331) \n /usr/sbin/clamd (1176) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1128) \n snap.amazon-ssm-agent.amazon-ssm-agent (1560) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"2245af28a7c0619957a8408b37a2dde54ff8c5ca4cbb4929196354b0be4a0f51"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-37-43.json b/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-37-43.json deleted file mode 100644 index e0fcd56..0000000 --- a/sample_jsons/nessus_mapper/nessus_sample_hdf.json-ip-10-10-37-43.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.46.7.ga2183de.1.dirty.20210608.112533","target_id":"ip-10-10-37-43"},"version":"1.3.46.7.ga2183de.1.dirty.20210608.112533","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"],"rid":"14272"},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"],"rid":"19506"},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"],"rid":"21157"},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[],"cci":[],"rid":"","stig_id":""},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1244) \n /usr/lib/ipsec/charon (1397) \n /usr/sbin/clamd (1275) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1233) \n snap.amazon-ssm-agent.amazon-ssm-agent (1657) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"8bc710d10cfcf03b9f2b257fadcf1f98c4a401a2401f4f9ad93247b702398cae"}]} \ No newline at end of file