diff --git a/benchmarks/DISA/U_CAN_Ubuntu_18-04_LTS_STIG_V2R15_Manual-xccdf.xml b/benchmarks/DISA/U_CAN_Ubuntu_18-04_LTS_STIG_V2R15_Manual-xccdf.xml
new file mode 100644
index 000000000..6e2dd69a0
--- /dev/null
+++ b/benchmarks/DISA/U_CAN_Ubuntu_18-04_LTS_STIG_V2R15_Manual-xccdf.xml
@@ -0,0 +1,3706 @@
+acceptedCanonical Ubuntu 18.04 LTS Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 15 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>UBTU-18-010000Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100519SV-109623CCI-000213Configure the system to require a password for authentication upon booting into single-user and maintenance modes.
+
+Generate an encrypted (grub) password for root with the following command:
+$ grub-mkpasswd-pbkdf2
+Enter Password:
+Reenter Password:
+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
+
+Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password:
+$ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom
+
+where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command.
+
+Configure grub to only require a password when accessing the bootloader:
+$ sudo sed -i -E 's/^CLASS="[^"]*/& --unrestricted/' /etc/grub.d/10_linux
+
+Generate an updated "grub.conf" file with the new password by using the following command:
+$ update-grubVerify that an encrypted root password is set. This is only applicable on systems that use a basic Input/Output System BIOS.
+
+Run the following command to verify the encrypted password is set:
+$ grep –i password /boot/grub/grub.cfg
+
+password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
+
+If the root password entry does not begin with “password_pbkdf2”, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>UBTU-18-010001Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100521SV-109625CCI-000213Configure the system to require a password for authentication upon booting into single-user and maintenance modes.
+
+Generate an encrypted (grub) password for root with the following command:
+$ grub-mkpasswd-pbkdf2
+Enter Password:
+Reenter Password:
+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
+
+Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password:
+$ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom
+
+where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command.
+
+Configure grub to only require a password when accessing the bootloader:
+$ sudo sed -i -E 's/^CLASS="[^"]*/& --unrestricted/' /etc/grub.d/10_linux
+
+Generate an updated "grub.conf" file with the new password by using the following command:
+$ grub-mkconfig -o /boot/efi/EFI/ubuntu/grub.cfgVerify that an encrypted root password is set. This is only applicable on Ubuntu operating systems that use UEFI.
+
+Run the following command to verify the encrypted password is set:
+$ grep -i password /boot/efi/EFI/ubuntu/grub.cfg
+password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString
+
+If the root password entry does not begin with “password_pbkdf2”, this is a finding.SRG-OS-000254-GPOS-00095<GroupDescription></GroupDescription>UBTU-18-010002The Ubuntu operating system must initiate session audits at system startup.<VulnDiscussion>If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100523SV-109627CCI-001464Configure the Ubuntu operating system to produce audit records at system startup.
+
+Edit /etc/default/grub file and add "audit=1" to the GRUB_CMDLINE_LINUX option.
+
+To update the grub config file run,
+
+sudo update-grubVerify the Ubuntu operating system enables auditing at system startup.
+
+Check that the auditing is enabled in grub with the following command:
+
+grep "^\s*linux" /boot/grub/grub.cfg
+
+linux /vmlinuz-4.15.0-55-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash $vt_handoff audit=1
+linux /vmlinuz-4.15.0-55-generic root=/dev/mapper/ubuntu--vg-root ro recovery nomodeset audit=1
+
+If any linux lines do not contain "audit=1", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>UBTU-18-010003Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.
+
+This requirement addresses protection of user-generated data, as well as Ubuntu operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
+
+Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109629V-100525CCI-001199CCI-002475CCI-002476To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
+
+Note: Encrypting a partition in an already-installed system is more difficult because the existing partitions must be resized and changed.If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
+
+Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption.
+
+Determine the partition layout for the system with the following command:
+
+#sudo fdisk -l
+(..)
+Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB
+
+Device Start End Sectors Size Type
+/dev/vda1 2048 4095 2048 1M BIOS boot
+/dev/vda2 4096 2101247 2097152 1G Linux filesystem
+/dev/vda3 2101248 31455231 29353984 14G Linux filesystem
+(...)
+
+Verify that the system partitions are all encrypted with the following command:
+
+# more /etc/crypttab
+
+Every persistent disk partition present must have an entry in the file. If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>UBTU-18-010005The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+
+Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100527SV-109631CCI-002450Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install.
+
+Enabling a FIPS mode on a pre-existing system involves a number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS 140-2 security policy document for instructions. A subscription to the "Ubuntu Pro" plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS.Verify the system is configured to run in FIPS mode.
+
+Check that the system is configured to run in FIPS mode with the following command:
+
+# grep -i 1 /proc/sys/crypto/fips_enabled
+1
+
+If a value of "1" is not returned, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>UBTU-18-010006The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109633V-100529CCI-001855Edit /etc/audit/auditd.conf and set the space_left_action parameter to "exec" or "email".
+
+If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).
+
+If the space_left_action parameter is set to "exec", make sure the command being execute notifies the System Administrator (SA) and Information System Security Officer (ISSO).
+
+Edit /etc/audit/auditd.conf and set the space_left parameter to be, at least, 25% of the repository maximum audit record storage capacity.Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
+
+Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command:
+
+# sudo grep ^space_left_action /etc/audit/auditd.conf
+
+space_left_action email
+
+# sudo grep ^space_left /etc/audit/auditd.conf
+
+space_left 250000
+
+If the "space_left" parameter is missing, set to blanks or set to a value less than 25% of the space free in the allocated audit record storage, this is a finding.
+
+If the "space_left_action" parameter is missing or set to blanks, this is a finding.
+
+If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, so this is a finding.
+
+If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.
+
+If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command:
+
+# sudo grep action_mail_acct /etc/audit/auditd.conf
+
+action_mail_acct root@localhost
+
+The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding.
+
+Note: If the email address of the system administrator is on a remote system a mail package must be available.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>UBTU-18-010007The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100531SV-109635CCI-001851Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.
+
+Install the audisp-remote plugin:
+
+# sudo apt-get install audispd-plugins -y
+
+Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:
+
+# sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf
+
+Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:
+
+# sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' audisp-remote.conf
+
+where <remote addr> must be substituted by the address of the remote server receiving the audit log.
+
+Make the audit service reload its configuration files:
+
+# sudo systemctl restart auditd.serviceVerify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.
+
+Check that audisp-remote plugin is installed:
+
+# sudo dpkg -s audispd-plugins
+
+If status is "not installed", this is a finding.
+
+Check that the records are being off-loaded to a remote server with the following command:
+
+# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
+
+active = yes
+
+If "active" is not set to "yes", or the line is commented out, this is a finding.
+
+Check that audisp-remote plugin is configured to send audit logs to a different system:
+
+# sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf
+
+remote_server = 192.168.122.126
+
+If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>UBTU-18-010008The Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109637V-100533CCI-001851Create a script which off-loads audit logs to external media and runs weekly.
+
+Script must be located into the /etc/cron.weekly directory.Verify there is a script which off-loads audit data and if that script runs weekly.
+
+Check if there is a script in the /etc/cron.weekly directory which off-loads audit data:
+
+# sudo ls /etc/cron.weekly
+
+audit-offload
+
+Check if the script inside the file does offloading of audit logs to an external media.
+
+If the script file does not exist or if the script file doesn't offload audit logs, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>UBTU-18-010016Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the Ubuntu operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or Ubuntu operating system components must be signed with a certificate recognized and approved by the organization.
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The Ubuntu operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109639V-100535CCI-001749Configure Advance package Tool (APT) to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
+
+Remove/Update any APT configuration file that contain the variable "AllowUnauthenticated" to "false", or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false":
+
+APT::Get::AllowUnauthenticated "false";Verify that Advance package Tool (APT) is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
+
+Check that the "AllowUnauthenticated" variable is not set at all or set to "false" with the following command:
+
+# grep AllowUnauthenticated /etc/apt/apt.conf.d/*
+/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false";
+
+If any of the files returned from the command with "AllowUnauthenticated" set to "true", this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>UBTU-18-010017The Ubuntu operating system must be configured so that Advance package Tool (APT) removes all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109641V-100537CCI-002617Configure APT to remove all software components after updated versions have been installed.
+
+Add or updated the following options to the "/etc/apt/apt.conf.d/50unattended-upgrades" file:
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";Verify Advance package Tool (APT) is configured to remove all software components after updated versions have been installed.
+
+Check that APT is configured to remove all software components after updating with the following command:
+
+# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+If the "::Remove-Unused-Dependencies" and "::Remove-Unused-Kernel-Packages" parameters are not set to "true", or are missing, or are commented out, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>UBTU-18-010018The Ubuntu operating system must not have the Network Information Service (NIS) package installed.<VulnDiscussion>Removing the Network Information Service (NIS) package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109643V-100539CCI-000381Configure the Ubuntu operating system to disable non-essential capabilities by removing the Network Information Service (NIS) package from the system with the following command:
+
+# sudo apt-get remove nisVerify that the Network Information Service (NIS) package is not installed on the Ubuntu operating system.
+
+Check to see if the NIS package is installed with the following command:
+
+# dpkg -l | grep nis
+
+If the NIS package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>UBTU-18-010019The Ubuntu operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for Ubuntu operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Ubuntu operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.
+
+If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100541SV-109645CCI-000381Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
+
+# sudo apt-get remove rsh-serverCheck to see if the rsh-server package is installed with the following command:
+
+# dpkg -l | grep rsh-server
+
+If the rsh-server package is installed, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>UBTU-18-010021The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP).<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.
+
+To support this requirement, the Ubuntu operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109649V-100545CCI-001233Configure the Ubuntu operating system to use ENSLTP.
+
+Install the mcafeetp package via the ePO server.Check that the "mcafeetp" package has been installed:
+
+# dpkg -l | grep -i mcafeetp
+
+If the "mcafeetp" package is not installed, this is a finding.
+
+Check that the daemon is running:
+
+# /opt/McAfee/ens/tp/init/mfetpd-control.sh status
+
+If the daemon is not running, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>UBTU-18-010022The Ubuntu operating system must be configured to preserve log records from failure events.<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
+
+Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109651V-100547CCI-001665Configure the log service to collect failure events.
+
+Install the log service (if the log service is not already installed) with the following command:
+
+# sudo apt-get install rsyslog
+
+Enable the log service with the following command:
+
+# sudo systemctl enable rsyslog
+
+Restart the log service with the following command:
+
+# sudo systemctl restart rsyslogVerify the log service is configured to collect system failure events.
+
+Check that the log service is installed properly with the following command:
+
+# dpkg -l | grep rsyslog
+
+ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
+
+If the "rsyslog" package is not installed, this is a finding.
+
+Check that the log service is enabled with the following command:
+
+# sudo systemctl is-enabled rsyslog
+
+enabled
+
+If the command above returns "disabled", this is a finding.
+
+Check that the log service is properly running and active on the system with the following command:
+
+# systemctl is-active rsyslog
+
+active
+
+If the command above returns "inactive", this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>UBTU-18-010023The Ubuntu operating system must have an application firewall installed in order to control remote access methods.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100549SV-109653CCI-002314Install the Uncomplicated Firewall by using the following command:
+
+# sudo apt-get install ufwVerify that the Uncomplicated Firewall is installed.
+
+Check that the Uncomplicated Firewall is installed with the following command:
+
+# dpkg -l | grep ufw
+
+ii ufw 0.35-0Ubuntu2
+
+If the "ufw" package is not installed, ask the System Administrator is another application firewall is installed. If no application firewall is installed this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>UBTU-18-010025The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109655V-100551CCI-001851Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.
+
+Install the audisp-remote plugin:
+
+# sudo apt-get install audispd-plugins -y
+
+Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:
+
+# sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf
+
+Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:
+
+# sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' audisp-remote.conf
+
+where <remote addr> must be substituted by the address of the remote server receiving the audit log.
+
+Make the audit service reload its configuration files:
+
+# sudo systemctl restart auditd.serviceVerify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.
+
+Check that audisp-remote plugin is installed:
+
+# sudo dpkg -s audispd-plugins
+
+If status is "not installed", verify that another method to off-load audit logs has been implemented.
+
+Check that the records are being off-loaded to a remote server with the following command:
+
+# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
+
+active = yes
+
+If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
+
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>UBTU-18-010030The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100553SV-109657CCI-002007Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".
+
+offline_credentials_expiration = 1
+
+Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the /etc/sssd/conf.d/ directory instead of the /etc/sssd/sssd.conf file.If smart card authentication is not being used on the system this item is Not Applicable.
+
+Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
+
+Check that PAM prohibits the use of cached authentications after one day with the following command:
+
+# sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+
+offline_credentials_expiration = 1
+
+If "offline_credentials_expiration" is not set to a value of "1", in /etc/sssd/sssd.conf or in a file with a name ending in .conf in the /etc/sssd/conf.d/ directory, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>UBTU-18-010031The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100555SV-109659CCI-000366Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
+
+Edit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of 4000000 or greater:
+
+auth required pam_faildelay.so delay=4000000Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt.
+
+Check that the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts with the following command:
+
+# grep pam_faildelay /etc/pam.d/common-auth
+
+auth required pam_faildelay.so delay=4000000
+
+If the line is not present, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010032The Ubuntu operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Configuring the Ubuntu operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
+
+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109661V-100557CCI-000052Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac".
+
+Add the following line to the top of "/etc/pam.d/login":
+
+session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred.
+
+Check that "pam_lastlog" is used and not silent with the following command:
+
+# grep pam_lastlog /etc/pam.d/login
+
+session required pam_lastlog.so showfailed
+
+If "pam_lastlog" is missing from "/etc/pam.d/login" file, is not "required", or the "silent" option is present, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>UBTU-18-010033The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+Satisfies: SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109663V-100559CCI-000044CCI-002238Configure the Ubuntu operating system to utilize the "pam_faillock" module.
+
+Edit the /etc/pam.d/common-auth file.
+
+Add the following lines below the "auth" definition for pam_unix.so:
+auth [default=die] pam_faillock.so authfail
+auth sufficient pam_faillock.so authsucc
+
+Configure the "pam_faillock" module to use the following options:
+
+Edit the /etc/security/faillock.conf file and add/update the following keywords and values:
+audit
+silent
+deny = 3
+fail_interval = 900
+unlock_time = 0Verify that the Ubuntu operating system utilizes the "pam_faillock" module with the following command:
+$ grep faillock /etc/pam.d/common-auth
+
+auth [default=die] pam_faillock.so authfail
+auth sufficient pam_faillock.so authsucc
+
+If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding.
+
+Verify the pam_faillock module is configured to use the following options:
+$ sudo egrep 'silent|audit|deny|fail_interval| unlock_time' /etc/security/faillock.conf
+
+audit
+silent
+deny = 3
+fail_interval = 900
+unlock_time = 0
+
+If the "silent" keyword is missing or commented out, this is a finding.
+If the "audit" keyword is missing or commented out, this is a finding.
+If the "deny" keyword is missing, commented out, or set to a value greater than 3, this is a finding.
+If the "fail_interval" keyword is missing, commented out, or set to a value greater than 900, this is a finding.
+If the "unlock_time" keyword is missing, commented out, or is not set to 0, this is a finding.SRG-OS-000024-GPOS-00007<GroupDescription></GroupDescription>UBTU-18-010035The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
+
+To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100561SV-109665CCI-000050Edit the /etc/gdm3/greeter.dconf-defaults file.
+
+Uncomment (remove the leading '#' characters) the following 3 configuration lines:
+
+[org/gnome/login-screen]
+
+banner-message-enable=true
+banner-message-text='Welcome'
+
+Note: the lines are all near the bottom of the file but they are not adjacent to each other.
+
+Edit the banner-message-text='Welcome' line to contain the appropriate banner message text as shown below:
+
+banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+
+Note that it is similar to the text in /etc/issue but it is all on a single line and the newline characters have been replaced with \n.
+
+# sudo dconf update
+# sudo systemctl restart gdm3Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
+Note: If the system does not have Graphical User Interface installed, this requirement is Not Applicable.
+
+Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:
+
+# grep banner-message-enable /etc/gdm3/greeter.dconf-defaults
+
+banner-message-enable=true
+
+If the line is commented out or set to "false", this is a finding.
+
+# grep banner-message-text /etc/gdm3/greeter.dconf-defaults
+
+banner-message-text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only.\s+By using this IS \(which includes any device attached to this IS\), you consent to the following conditions:\s+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\s+-At any time, the USG may inspect and seize data stored on this IS.\s+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\s+-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\s+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the banner-message-text is missing, commented out, or the text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>UBTU-18-010036The Ubuntu operating system must prevent direct login into the root account.<VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
+
+A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account.
+
+For example, the UNIX and Windows operating systems offer a 'switch user' capability allowing users to authenticate with their individual credentials and, when needed, 'switch' to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.
+
+Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication.
+
+Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109667V-100563CCI-000770Configure the Ubuntu operating system to prevent direct logins to the root account by performing the following operations:
+
+sudo passwd -l rootVerify the Ubuntu operating system prevents direct logins to the root account.
+
+Check that the Ubuntu operating system prevents direct logins to the root account with the following command:
+
+# sudo passwd -S root
+
+root L 11/11/2017 0 99999 7 -1
+
+If the output does not contain "L" in the second field to indicate the account is locked, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>UBTU-18-010037The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
+
+Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code.
+
+Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries.
+
+The Ubuntu operating system restricts access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109669V-100565CCI-001084Configure the sudo group with only members requiring access to security functions.
+
+To remove a user from the sudo group run:
+
+sudo gpasswd -d <username> sudoVerify that the sudo group has only members who should have access to security functions.
+
+# grep sudo /etc/group
+
+sudo:x:27:foo
+
+If the sudo group contains users not needing access to security functions, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>UBTU-18-010038The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any publically accessible connection to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Satisfies: SRG-OS-000228-GPOS-00088, SRG-OS-000023-GPOS-00006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100567SV-109671CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH logon.
+
+Edit the SSH daemon configuration "/etc/ssh/sshd_config" file. Uncomment the banner keyword and configure it to point to the file that contains the correct banner. An example of this configure is below:
+
+Banner /etc/issue
+
+Either create the file containing the banner, or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+# sudo systemctl restart sshd.serviceVerify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a ssh logon.
+
+Check that the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a ssh logon with the following command:
+
+# grep -i banner /etc/ssh/sshd_config
+
+Banner /etc/issue
+
+The command will return the banner option along with the name of the file that contains the ssh banner. If the line is commented out, this is a finding.
+
+Check the specified banner file to check that it matches the Standard Mandatory DoD Notice and Consent Banner exactly:
+
+# cat /etc/issue
+
+“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.”
+
+If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>UBTU-18-010100The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100571SV-109675CCI-000192Add or update the "/etc/security/pwquality.conf" file to contain the "ucredit" parameter:
+
+ucredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used.
+
+Determine if the field "ucredit" is set in the "/etc/security/pwquality.conf" file with the following command:
+
+# grep -i "ucredit" /etc/security/pwquality.conf
+ucredit=-1
+
+If the "ucredit" parameter is greater than "-1", or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>UBTU-18-010101The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100573SV-109677CCI-000193Add or update the "/etc/security/pwquality.conf" file to contain the "lcredit" parameter:
+
+lcredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used.
+
+Determine if the field "lcredit" is set in the "/etc/security/pwquality.conf" file with the following command:
+
+# grep -i "lcredit" /etc/security/pwquality.conf
+lcredit=-1
+
+If the "lcredit" parameter is greater than "-1", or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>UBTU-18-010102The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109679V-100575CCI-000194Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used.
+
+Add or update the "/etc/security/pwquality.conf" file to contain the "dcredit" parameter:
+
+dcredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used.
+
+Determine if the field "dcredit" is set in the "/etc/security/pwquality.conf" file with the following command:
+
+# grep -i "dcredit" /etc/security/pwquality.conf
+dcredit=-1
+
+If the "dcredit" parameter is greater than "-1", or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>UBTU-18-010103The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>If the Ubuntu operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
+
+The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
+
+If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109681V-100577CCI-000195Configure the Ubuntu operating system to require the change of at least 8 characters when passwords are changed.
+
+Add or update the "/etc/security/pwquality.conf" file to include the "difok=8" parameter:
+
+difok=8Verify the Ubuntu operating system requires the change of at least 8 characters when passwords are changed.
+
+Determine if the field "difok" is set in the "/etc/security/pwquality.conf" file with the following command:
+
+# grep -i "difok" /etc/security/pwquality.conf
+difok=8
+
+If the "difok" parameter is less than "8", or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>UBTU-18-010104The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109683V-100579CCI-000196Configure the Ubuntu operating system to encrypt all stored passwords.
+
+Edit/Modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to SHA512.
+
+ENCRYPT_METHOD SHA512Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.
+
+Check the hashing algorithm that is being used to hash passwords with the following command:
+
+# cat /etc/login.defs | grep -i crypt
+
+ENCRYPT_METHOD SHA512
+
+If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>UBTU-18-010105The Ubuntu operating system must not have the telnet package installed.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100581SV-109685CCI-000197Remove the telnet package from the Ubuntu operating system by running the following command:
+
+# sudo apt-get remove telnetdVerify that the telnet package is not installed on the Ubuntu operating system.
+
+Check that the telnet daemon is not installed on the Ubuntu operating system by running the following command:
+
+# dpkg -l | grep telnetd
+
+If the package is installed, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>UBTU-18-010106The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109687V-100583CCI-000198Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.
+
+Add, or modify the following line in the "/etc/login.defs" file:
+
+PASS_MIN_DAYS 1Verify that the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command:
+
+# grep -i pass_min_days /etc/login.defs
+
+PASS_MIN_DAYS 1
+
+If the "PASS_MIN_DAYS" parameter value is less than 1, or commented out, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>UBTU-18-010107The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100585SV-109689CCI-000199Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.
+
+Add, or modify the following line in the "/etc/login.defs" file:
+
+PASS_MAX_DAYS 60Verify that the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command:
+
+# grep -i pass_max_days /etc/login.defs
+PASS_MAX_DAYS 60
+
+If the "PASS_MAX_DAYS" parameter value is less than 60, or commented out, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>UBTU-18-010108The Ubuntu operating system must prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100587SV-109691CCI-000200Configure the Ubuntu operating system prevents passwords from being reused for a minimum of five generations.
+
+Add, or modify the "remember" parameter value to the following line in "/etc/pam.d/common-password" file:
+
+password [success=1 default=ignore] pam_unix.so sha512 shadow remember=5 rounds=5000Verify that the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command:
+
+# grep -i remember /etc/pam.d/common-password
+
+password [success=1 default=ignore] pam_unix.so sha512 shadow remember=5 rounds=5000
+
+If the "remember" parameter value is not greater than or equal to 5, commented out, or not set at all this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>UBTU-18-010109The Ubuntu operating system must enforce a minimum 15-character password length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100589SV-109693CCI-000205Configure the Ubuntu operating system to enforce a minimum 15-character password length.
+
+Add, or modify the "minlen" parameter value to the "/etc/security/pwquality.conf" file:
+
+minlen=15Verify if the pwquality configuration file enforces a minimum 15-character password length, by running the following command:
+
+# grep -i minlen /etc/security/pwquality.conf
+ minlen=15
+
+If "minlen" parameter value is not 15 or higher, or is commented out, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>UBTU-18-010110The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.<VulnDiscussion>The Ubuntu operating system must use a FIPS-compliant hashing algorithm to securely store the password. The FIPS-compliant hashing algorithm parameters must be selected in order to harden the system against offline attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109695V-100591CCI-000803Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.
+
+Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so:
+
+password [success=1 default=ignore] pam_unix.so obscure sha512
+
+Edit/modify /etc/login.defs and set "ENCRYPT_METHOD sha512".Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash.
+
+Check that pam_unix.so auth is configured to use sha512 with the following command:
+
+# grep password /etc/pam.d/common-password | grep pam_unix
+
+password [success=1 default=ignore] pam_unix.so obscure sha512
+
+If "sha512" is not an option of the output, or is commented out, this is a finding.
+
+Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs:
+
+# grep -i ENCRYPT_METHOD /etc/login.defs
+
+ENCRYPT_METHOD SHA512
+
+If the output does not contain "sha512", or it is commented out, this is a finding.SRG-OS-000380-GPOS-00165<GroupDescription></GroupDescription>UBTU-18-010112The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.<VulnDiscussion>Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon.
+
+Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100593SV-109697CCI-002041Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login.
+
+Below are two examples of how to create a user account that requires the user to change their password upon their next login.
+
+# chage -d 0 [UserName]
+
+or
+
+# passwd -e [UserName]Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login.
+
+If a policy does not exist, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>UBTU-18-010113The Ubuntu operating system must prevent the use of dictionary words for passwords.<VulnDiscussion>If the Ubuntu operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100595SV-109699CCI-000366Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.
+
+Add or update the following line in the "/etc/security/pwquality.conf" file to include the "dictcheck=1" parameter:
+
+dictcheck=1Verify that the Ubuntu operating system uses the cracklib library to prevent the use of dictionary words with the following command:
+
+# grep dictcheck /etc/security/pwquality.conf
+
+dictcheck=1
+
+If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>UBTU-18-010114The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When the Ubuntu operating system provides the capability to escalate a functional capability or change security roles, it is critical the user re-authenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109701V-100597CCI-002038Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the /etc/sudoers.d directory.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate".
+
+Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by running the following command:
+
+# sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/*
+
+If any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>UBTU-18-010116The Ubuntu Operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100599SV-109703CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules.
+
+Install the pam_pwquality package by using the following command:
+
+# apt-get install libpam-pwquality -y
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+enforcing = 1
+
+Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
+
+password requisite pam_pwquality.so retry=3 enforce_for_root
+
+Note: The value of "retry" should be between "1" and "3".Verify the Ubuntu operating system has the libpam-pwquality package installed, by running the following command:
+
+# dpkg -l libpam-pwquality
+
+ii libpam-pwquality:amd64 1.4.0-2 amd64 PAM module to check password strength
+
+If "libpam-pwquality" is not installed, this is a finding.
+
+Verify the operating system uses "pwquality" to enforce the password complexity rules.
+
+Verify the pwquality module is being enforced by the Ubuntu Operating System, by running the following command:
+
+# grep -i enforcing /etc/security/pwquality.conf
+
+enforcing = 1
+
+If the value of "enforcing" is not 1 or the line is commented out, this is a finding.
+
+Check for the use of "pwquality" with the following command:
+
+# sudo cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality
+
+password requisite pam_pwquality.so retry=3 enforce_for_root
+
+If no output is returned or the line is commented out, this is a finding.
+If the value of "retry" is set to "0" or greater than "3", this is a finding.
+If "enforce_for_root" is missing from the configuration line, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>UBTU-18-010120The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
+
+There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109705V-100601CCI-001090Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.
+
+Set the sticky bit on all public directories using the command, replace "[Public Directory]" with any directory path missing the sticky bit:
+
+# sudo chmod +t [Public Directory]Verify that all public (world writeable) directories have the public sticky bit set.
+
+Find world-writable directories that lack the sticky bit by running the following command:
+
+# sudo find / -type d -perm -002 ! -perm -1000
+
+If any world-writable directories are found missing the sticky bit, this is a finding.SRG-OS-000205-GPOS-00083<GroupDescription></GroupDescription>UBTU-18-010121The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.<VulnDiscussion>Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.
+
+Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.
+
+The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109707V-100603CCI-001312Configured the Ubuntu operating system to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command:
+
+Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.
+
+$ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;Verify the Ubuntu operating system has all system log files under the /var/log directory with a permission set to "640", by using the following command:
+
+Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.
+
+$ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \;
+
+If the command displays any output, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010122The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100605SV-109709CCI-001314Configure the Ubuntu operating system to have syslog group-own the /var/log directory by running the following command:
+
+# sudo chgrp syslog /var/logVerify the Ubuntu operating system configures the /var/log directory to be group-owned by syslog.
+
+Check that the /var/log directory is group owned by syslog with the following command:
+
+# sudo stat -c "%n %G" /var/log
+/var/log syslog
+
+If the /var/log directory is not group-owned by syslog, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010123The Ubuntu operating system must configure the /var/log directory to be owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100607SV-109711CCI-001314Configure the Ubuntu operating system to have root own the /var/log directory by running the following command:
+
+# sudo chown root /var/logVerify the Ubuntu operating system configures the /var/log directory to be owned by root.
+
+Check that the /var/log directory is owned by root with the following command:
+
+# sudo stat -c "%n %U" /var/log
+/var/log root
+
+If the /var/log directory is not owned by root, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010124The Ubuntu operating system must configure the /var/log directory to have mode 0755 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100609SV-109713CCI-001314Configure the Ubuntu operating system to have permissions of "0755" for the /var/log directory by running the following command:
+
+$ sudo chmod 0755 /var/logVerify that the Ubuntu operating system configures the /var/log directory with a mode of "755" or less permissive.
+
+Check the mode of the /var/log directory with the following command:
+
+Note: If rsyslog is active and enabled on the operating system, this requirement is not applicable.
+
+$ stat -c "%n %a" /var/log
+
+/var/log 755
+
+If a value of "755" or less permissive is not returned, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010125The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109715V-100611CCI-001314Configure the Ubuntu operating system to have adm group-own the /var/log/syslog file by running the following command:
+
+# sudo chgrp adm /var/log/syslogVerify that the Ubuntu operating system configures the /var/log/syslog file to be group-owned by adm.
+
+Check that the /var/log/syslog file is group-owned by adm with the following command:
+
+# sudo stat -c "%n %G" /var/log/syslog
+/var/log/syslog adm
+
+If the /var/log/syslog file is not group-owned by adm, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010126The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100613SV-109717CCI-001314Configure the Ubuntu operating system to have syslog own the /var/log/syslog file by running the following command:
+
+# sudo chown syslog /var/log/syslogVerify that the Ubuntu operating system configures the /var/log/syslog file to be owned by syslog.
+
+Check that the /var/log/syslog file is owned by syslog with the following command:
+
+# sudo stat -c "%n %U" /var/log/syslog
+/var/log/syslog syslog
+
+If the /var/log/syslog file is not owned by syslog, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-18-010127The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109719V-100615CCI-001314Configure the Ubuntu operating system to have permissions of 0640 o for the /var/log/syslog file by running the following command:
+
+# sudo chmod 0640 /var/log/syslogVerify that the Ubuntu operating system configures the /var/log/syslog file with mode 0640 or less permissive.
+
+Check the /var/log/syslog permissions by running the following command:
+
+# stat -c "%n %a" /var/log/syslog
+
+/var/log/syslog 640
+
+If a value of "640" or less permissive is not returned, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-18-010128The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100617SV-109721CCI-001493CCI-001494CCI-001495Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the correct permissive mode using the following command:
+
+# sudo chmod 0755 [audit_tool]
+
+Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.
+
+For each audit tool,
+/sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/audispd, /sbin/augenrules
+
+Check the permissions by running the following command:
+
+# stat -c "%n %a" /sbin/auditctl
+
+755 /sbin/auditctl
+
+If any of the audit tools have a mode more permissive than 0755, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-18-010129The Ubuntu operating system must configure audit tools to be owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100619SV-109723CCI-001493Configure the audit tools on the Ubuntu operating system to be owned by root, by running the following command:
+
+# sudo chown root [audit_tool]
+
+Replace "[audit_tool]" with each audit tool not owned by root.Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent any unauthorized access, deletion, or modification.
+
+For each audit tool,
+/sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/audispd, /sbin/augenrules
+
+Check the ownership by running the following command:
+
+# stat -c "%n %U" /sbin/auditctl
+
+/sbin/auditctl root
+
+If any of the audit tools are not owned by root, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-18-010130The Ubuntu operating system must configure the audit tools to be group-owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100621SV-109725CCI-001493Configure the audit tools on the Ubuntu operating system to be group-owned by root, by running the following command:
+
+# sudo chgrp root [audit_tool]
+
+Replace "[audit_tool]" with each audit tool not group-owned by root.Verify the Ubuntu operating system configures the audit tools to be group-owned by root to prevent any unauthorized access, deletion, or modification.
+
+For each audit tools,
+/sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/audispd, /sbin/augenrules
+
+Check the group-owner of each audit tool by running the following commands:
+
+stat -c "%n %G" /sbin/auditctl
+
+/sbin/auditctl root
+
+If any of the audit tools are not group-owned by root, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010133The Ubuntu operating system library files must have mode 0755 or less permissive.<VulnDiscussion>If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100623SV-109727CCI-001499Configure the library files to be protected from unauthorized access. Run the following command:
+$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -iname *.so* -exec chmod 755 '{}' \Verify the system-wide shared library files contained in the directories "/lib", "/lib64" and "/usr/lib" have mode 0755 or less permissive.
+
+Check that the system-wide shared library files have mode 0755 or less permissive with the following command:
+$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec stat -c "%n %a" '{}' \;
+/usr/lib64/pkcs11-spy.so
+
+If any library files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010134The Ubuntu operating system library directories must have mode 0755 or less permissive.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109729V-100625CCI-001499Configure the shared library directories to be protected from unauthorized access. Run the following command:
+
+# sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \;Verify the system-wide shared library directories "/lib", "/lib64" and "/usr/lib have mode 0755 or less permissive.
+
+Check that the system-wide shared library directories have mode 0755 or less permissive with the following command:
+
+# sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec stat -c "%n %a" '{}' \;
+
+If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010135The Ubuntu operating system library files must be owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109731V-100627CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \;Verify the system-wide shared library files contained in the directories "/lib", "/lib64" and "/usr/lib" are owned by root.
+
+Check that the system-wide shared library files are owned by root with the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \;
+
+If any system wide library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010136The Ubuntu operating system library directories must be owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100629SV-109733CCI-001499Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \;Verify the system-wide shared library directories "/lib", "/lib64" and "/usr/lib" are owned by root.
+
+Check that the system-wide shared library directories are owned by root with the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
+
+If any system wide library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010137The Ubuntu operating system library files must be group-owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100631SV-109735CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command:
+$ sudo find /lib /usr/lib /lib64 ! -group root -type f -iname *.so* -exec chgrp root '{}' \;Verify the system-wide library files contained in the directories "/lib", "/lib64" and "/usr/lib" are group-owned by root.
+
+Check that the system-wide library files are group-owned by root with the following command:
+$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \;
+
+If any system wide shared library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010138The Ubuntu operating system library directories must be group-owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109737V-100633CCI-001499Configure the system library directories to be protected from unauthorized access. Run the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;Verify the system-wide library directories "/lib", "/lib64" and "/usr/lib" are group-owned by root.
+
+Check that the system-wide library directories are group-owned by root with the following command:
+
+# sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;
+
+If any system wide shared library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010139The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100635SV-109739CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;Verify the system commands contained in the following directories have mode 0755 or less permissive:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Check that the system command files have mode 0755 or less permissive with the following command:
+
+# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \;
+
+If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010140The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100637SV-109741CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;Verify the system commands directories have mode 0755 or less permissive:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Check that the system command directories have mode 0755 or less permissive with the following command:
+
+# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;
+
+If any directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010141The Ubuntu operating system must have system commands owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109743V-100639CCI-001499Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;Verify the system commands contained in the following directories are owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Use the following command for the check:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \;
+
+If any system commands are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010142The Ubuntu operating system must have directories that contain system commands owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100641SV-109745CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;Verify the system commands directories are owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Use the following command for the check:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \;
+
+If any system commands directories are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010143The Ubuntu operating system must have system commands group-owned by root or a system account.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100643SV-109747CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account.
+
+$ sudo chgrp root [FILE]Verify the system commands contained in the following directories are group-owned by root or a system account:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Run the check with the following command:
+
+$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c "%n %G" '{}' \;
+
+If any system commands are returned that are not Set Group ID up on execution (SGID) files and group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-18-010144The Ubuntu operating system must have directories that contain system commands group-owned by root.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109749V-100645CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;Verify the system commands directories are group-owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Run the check with the following command:
+
+# sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \;
+
+If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>UBTU-18-010145The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109751V-100647CCI-001619Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used.
+
+Add or update the following line in the "/etc/security/pwquality.conf" file to include the "ocredit=-1" parameter:
+
+ocredit=-1Determine if the field "ocredit" is set in the "/etc/security/pwquality.conf" file with the following command:
+
+# grep -i "ocredit" /etc/security/pwquality.conf
+ocredit=-1
+
+If the "ocredit" parameter is greater than "-1", or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010150The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109753V-100649CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.
+
+Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
+
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+
+Then update the dconf settings:
+
+# dconf updateVerify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface.
+
+Check that the "logout" target is not bound to an action with the following command:
+
+# grep logout /etc/dconf/db/local.d/*
+
+logout=''
+
+If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010151The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100651SV-109755CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:
+
+$ sudo systemctl disable ctrl-alt-del.target
+
+$ sudo systemctl mask ctrl-alt-del.target
+
+And reload the daemon to take effect:
+
+$ sudo systemctl daemon-reloadVerify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+
+Check that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command:
+
+$ sudo systemctl status ctrl-alt-del.target
+ctrl-alt-del.target
+Loaded: masked (/dev/null; bad)
+Active: inactive (dead)
+
+If the "ctrl-alt-del.target" is not masked, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010201The Ubuntu operating system must generate audit records for the use and modification of the tallylog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109757V-100653CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file occur.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/tallylog -p wa -k logins
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "tallylog" file occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep tallylog
+
+-w /var/log/tallylog -p wa -k logins
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010202The Ubuntu operating system must generate audit records for the use and modification of faillog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109759V-100655CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file occur.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/faillog -p wa -k logins
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "faillog" file occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep faillog
+
+-w /var/log/faillog -p wa -k logins
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010203The Ubuntu operating system must generate audit records for the use and modification of the lastlog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100657SV-109761CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file occur.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/lastlog -p wa -k logins
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep lastlog
+
+-w /var/log/lastlog -p wa -k logins
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>UBTU-18-010237The Ubuntu operating system must generate audit records for privileged activities or other system-level access.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109763V-100659CCI-000172Configure the Ubuntu operating system to audit privileged activities.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/sudo.log -p wa -k actions
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system audits privileged activities.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep sudo.log
+
+-w /var/log/sudo.log -p wa -k priv_actions
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-18-010238The Ubuntu operating system must generate audit records for the /var/log/wtmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100661SV-109765CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the /var/log/wtmp file.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/wtmp -p wa -k logins
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via /va/rlog/wtmp.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep '/var/log/wtmp'
+
+-w /var/log/wtmp -p wa -k logins
+
+If the command does not return a line matching the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-18-010239The Ubuntu operating system must generate audit records for the /var/run/utmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100663SV-109767CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the /var/run/utmp file.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+-w /var/run/utmp -p wa -k logins
+
+Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via /var/run/utmp file.
+
+Check the currently configured audit rules with the following command:
+$ sudo auditctl -l | grep '/var/run/utmp'
+
+-w /var/run/utmp -p wa -k logins
+
+If the command does not return a line matching the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-18-010240The Ubuntu operating system must generate audit records for the /var/log/btmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109769V-100665CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the /var/log/btmp file.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-w /var/log/btmp -p wa -k logins
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via /var/log/btmp file.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep '/var/log/btmp'
+
+-w /var/log/btmp -p wa -k logins
+
+If the command does not return a line matching the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000476-GPOS-00221<GroupDescription></GroupDescription>UBTU-18-010244The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000004-GPOS-00004</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109771V-100667CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
+
+Add or update the following rule to "/etc/audit/rules.d/stig.rules":
+
+-w /etc/passwd -p wa -k usergroup_modification
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep passwd
+
+-w /etc/passwd -p wa -k usergroup_modification
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000476-GPOS-00221<GroupDescription></GroupDescription>UBTU-18-010245The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100669SV-109773CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
+
+Add or update the following rule to "/etc/audit/rules.d/stig.rules":
+
+-w /etc/group -p wa -k usergroup_modification
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep group
+
+-w /etc/group -p wa -k usergroup_modification
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000476-GPOS-00221<GroupDescription></GroupDescription>UBTU-18-010246The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100671SV-109775CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
+
+Add or update the following rule to "/etc/audit/rules.d/stig.rules":
+
+-w /etc/gshadow -p wa -k usergroup_modification
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep gshadow
+
+-w /etc/gshadow -p wa -k usergroup_modification
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000476-GPOS-00221<GroupDescription></GroupDescription>UBTU-18-010247The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109777V-100673CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+
+Add or update the following rule to "/etc/audit/rules.d/stig.rules":
+
+-w /etc/shadow -p wa -k usergroup_modification
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep shadow
+
+-w /etc/shadow -p wa -k usergroup_modification
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000476-GPOS-00221<GroupDescription></GroupDescription>UBTU-18-010248The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100675SV-109779CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
+
+Add or update the following rule to "/etc/audit/rules.d/stig.rules":
+
+-w /etc/security/opasswd -p wa -k usergroup_modification
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep opasswd
+
+-w /etc/security/opasswd -p wa -k usergroup_modification
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000038-GPOS-00016<GroupDescription></GroupDescription>UBTU-18-010250The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.<VulnDiscussion>Without establishing the when, where, type, source, and outcome of events that occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted.
+
+Associating event types with detected events in the Ubuntu operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+
+Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109781V-100677CCI-000131CCI-000132CCI-000133CCI-000134CCI-000135CCI-000154CCI-000158CCI-000169CCI-000172CCI-001814CCI-001875CCI-001876CCI-001877CCI-001878CCI-001879CCI-001880CCI-001914CCI-002884Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred.
+
+Install the audit service (if the audit service is not already installed) with the following command:
+
+# sudo apt-get install auditd
+
+Enable the audit service with the following command:
+
+# sudo systemctl enable auditd.service
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the audit service is configured to produce audit records.
+
+Check that the audit service is installed properly with the following command:
+
+# dpkg -l | grep auditd
+
+If the "auditd" package is not installed, this is a finding.
+
+Check that the audit service is enabled with the following command:
+
+# systemctl is-enabled auditd.service
+
+If the command above returns "disabled", this is a finding.
+
+Check that the audit service is properly running and active on the system with the following command:
+
+# systemctl is-active auditd.service
+active
+
+If the command above returns "inactive", this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>UBTU-18-010300The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100679SV-109783CCI-000139Configure "auditd" service to notify the System Administrator (SA) and Information System Security Officer (ISSO) in the event of an audit processing failure.
+
+Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
+
+action_mail_acct = root
+
+Restart the auditd service so the changes take effect:
+# sudo systemctl restart auditd.serviceVerify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified in the event of an audit processing failure.
+
+Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) win the event of an audit processing failure with the following command:
+
+# sudo grep action_mail_acct = root /etc/audit/auditd.conf
+
+action_mail_acct = root
+
+If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>UBTU-18-010301The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).<VulnDiscussion>It is critical that when the Ubuntu operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+
+When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
+
+1) If the failure was caused by the lack of audit record storage capacity, the Ubuntu operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.
+
+2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the Ubuntu operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109785V-100681CCI-000140Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern).
+
+Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "HALT" or "SINGLE") in "/etc/audit/auditd.conf" file:
+
+disk_full_action = HALT
+
+Restart the auditd service so the changes take effect:
+# sudo systemctl restart auditd.serviceVerify the Ubuntu operating system takes the appropriate action when the audit storage volume is full.
+
+Check that the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command:
+
+# sudo grep disk_full_action /etc/audit/auditd.conf
+
+disk_full_action = HALT
+
+If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.SRG-OS-000058-GPOS-00028<GroupDescription></GroupDescription>UBTU-18-010305The Ubuntu operating system must be configured so that audit log files cannot be read or write-accessible by unauthorized users.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
+
+Satisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000057-GPOS-00027</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109787V-100683CCI-000162CCI-000163Configure the audit log files to have a mode of "0600" or less permissive.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "0600" or less permissive by using the following command:
+
+# sudo chmod 0600 /var/log/audit/*Verify that the audit log files have a mode of "0600" or less permissive.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the audit log files have a mode of "0600" or less by using the following command:
+
+# sudo stat -c "%n %a" /var/log/audit/*
+/var/log/audit/audit.log 600
+
+If the audit log files have a mode more permissive than "0600", this is a finding.SRG-OS-000058-GPOS-00028<GroupDescription></GroupDescription>UBTU-18-010306The Ubuntu operating system must permit only authorized accounts ownership of the audit log files.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
+
+Satisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000057-GPOS-00027</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109789V-100685CCI-000162CCI-000163Configure the audit log files to be owned by "root" user.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" user by using the following command:
+
+# sudo chown root /var/log/audit/*Verify that the audit log files are owned by "root" account.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the audit log files are owned by the "root" user by using the following command:
+
+# sudo stat -c "%n %U" /var/log/audit/*
+/var/log/audit/audit.log root
+
+If the audit log files are owned by an user other than "root", this is a finding.SRG-OS-000058-GPOS-00028<GroupDescription></GroupDescription>UBTU-18-010307The Ubuntu operating system must permit only authorized groups to own the audit log files.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
+
+Satisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000057-GPOS-00027</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109791V-100687CCI-000162CCI-000163Configure the audit log files to be owned by "root" group.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" group by using the following command:
+
+# sudo chown :root /var/log/audit/*Verify that the audit log files are owned by "root" group.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the audit log files are owned by the "root" group by using the following command:
+
+# sudo stat -c "%n %G" /var/log/audit/*
+/var/log/audit/audit.log root
+
+If the audit log files are owned by a group other than "root", this is a finding.SRG-OS-000059-GPOS-00029<GroupDescription></GroupDescription>UBTU-18-010308The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109793V-100689CCI-000164Configure the audit log directory to have a mode of "0750" or less permissive.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0750" or less permissive by using the following command:
+
+# chmod -R g-w,o-rwx /var/log/auditVerify that the audit log directory has a mode of "0750" or less permissive.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the directory has a mode of "0750" or less by using the following command:
+
+# sudo stat -c "%n %a" /var/log/audit
+/var/log/audit 750
+
+If the audit log directory has a mode more permissive than "0750", this is a finding.SRG-OS-000059-GPOS-00029<GroupDescription></GroupDescription>UBTU-18-010309The Ubuntu operating system must allow only authorized accounts to own the audit log directory.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100691SV-109795CCI-000164Configure the audit log directory to be owned by "root" user.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log directory to be owned by "root" user by using the following command:
+
+# chown -R root /var/log/auditVerify that the audit log directory is owned by "root" account.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the directory is owned by the "root" user by using the following command:
+
+# sudo stat -c "%n %U" /var/log/audit
+/var/log/audit root
+
+If the audit log directory is owned by an user other than "root", this is a finding.SRG-OS-000059-GPOS-00029<GroupDescription></GroupDescription>UBTU-18-010310The Ubuntu operating system must ensure only authorized groups can own the audit log directory and its underlying files.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109797V-100693CCI-000164Configure the audit log directory to be owned by "root" group.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, configure the audit log directory to be owned by "root" group by using the following command:
+
+# chown -R :root /var/log/auditVerify that the audit log directory is owned by "root" group.
+
+First determine where the audit logs are stored with the following command:
+
+# sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Using the path of the directory containing the audit logs, check if the directory is owned by the "root" group by using the following command:
+
+# sudo stat -c "%n %G" /var/log/audit
+/var/log/audit root
+
+If the audit log directory is owned by a group other than "root", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-18-010311The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100695SV-109799CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to have a mode of 0640 by using the following command:
+
+# chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
+
+Note: The "root" account must be used to edit any files in the /etc/audit and /etc/audit/rules.d/ directories.Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files have a mode of 0640 or less permissive by using the following command:
+
+# sudo ls -al /etc/audit/ /etc/audit/rules.d/
+
+/etc/audit/:
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 .
+
+drwxr-xr-x 130 root root 12288 Dec 19 13:42 ..
+
+-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf
+
+-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules
+
+-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev
+
+-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d
+
+/etc/audit/rules.d/:
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 .
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 ..
+
+-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules
+
+If "/etc/audit/audit.rule","/etc/audit/rules.d/*" or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-18-010312The Ubuntu operating system must permit only authorized accounts to own the audit configuration files.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109801V-100697CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to be owned by root user by using the following command:
+
+# chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
+
+Note: The "root" account must be used to edit any files in the /etc/audit and /etc/audit/rules.d/ directories.Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root account by using the following command:
+
+# sudo ls -al /etc/audit/ /etc/audit/rules.d/
+
+/etc/audit/:
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 .
+
+drwxr-xr-x 130 root root 12288 Dec 19 13:42 ..
+
+-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf
+
+-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules
+
+-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev
+
+-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d
+
+/etc/audit/rules.d/:
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 .
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 ..
+
+-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules
+
+If "/etc/audit/audit.rules" or "/etc/audit/rules.d/*" or "/etc/audit/auditd.conf" file is owned by a user other than "root", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-18-010313The Ubuntu operating system must permit only authorized groups to own the audit configuration files.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100699SV-109803CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to be owned by root group by using the following command:
+
+# chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
+
+Note: The "root" account must be used to edit any files in the /etc/audit and /etc/audit/rules.d/ directories.Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root group by using the following command:
+
+# sudo ls -al /etc/audit/ /etc/audit/rules.d/
+
+/etc/audit/:
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 .
+
+drwxr-xr-x 130 root root 12288 Dec 19 13:42 ..
+
+-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf
+
+-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules
+
+-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev
+
+-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d
+
+/etc/audit/rules.d/:
+
+drwxr-x--- 2 root root 4096 Dec 27 09:56 .
+
+drwxr-x--- 3 root root 4096 Nov 25 11:02 ..
+
+-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules
+
+If "/etc/audit/audit.rules" or "/etc/audit/rules.d/*" or "/etc/audit/auditd.conf" file is owned by a group other than "root", this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>UBTU-18-010314The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>In order to ensure Ubuntu operating systems have sufficient storage capacity in which to write the audit logs, Ubuntu operating system needs to be able to allocate audit record storage capacity.
+
+The task of allocating audit record storage capacity is usually performed during initial installation of the Ubuntu operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100701SV-109805CCI-001849Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.
+
+If audit records are stored on a partition made specifically for audit records, use the "parted" program to resize the partition with sufficient space to contain one week's worth of audit records.
+
+If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created.
+
+Set the auditd server to point to the mount point where the audit records must be located:
+
+# sudo sed -i -E 's@^(log_file\s*=\s*).*@\1 <log mountpoint>/audit.log@' /etc/audit/auditd.conf
+
+where <log mountpoint> is the aforementioned mount point.Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.
+
+Determine which partition the audit records are being written to with the following command:
+
+# sudo grep log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command:
+
+# df –h /var/log/audit/
+/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
+
+If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:
+
+#du –sh [audit_partition]
+1.8G /var/log/audit
+
+Note: The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient.
+
+If the audit record partition is not allocated for sufficient storage capacity, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010315The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109807V-100703CCI-000172Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify if the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep '/bin/su'
+
+-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010316The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100705SV-109809CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify if the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use of the "chfn" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep '/usr/bin/chfn'
+
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010317The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100707SV-109811CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify if the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use of the "mount" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep '/bin/mount'
+
+-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010318The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109813V-100709CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify if the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use of the "umount" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep '/bin/umount'
+
+-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010319The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100711SV-109815CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-agent" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep '/usr/bin/ssh-agent'
+
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010320The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100713SV-109817CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" command occur.
+
+Check the configured audit rules with the following commands:
+
+#sudo auditctl -l | grep ssh-keysign
+
+-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010321The Ubuntu operating system must generate audit records for any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100715SV-109819CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+To reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep xattr
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
+
+If the command does not return audit rules for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The "-k" allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010327The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100725SV-109829CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules":
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+To reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep chown
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return audit rules for the "chown", "fchown", "fchownat", and "lchown" syscalls or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The "-k" allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010331The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100733SV-109837CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules":
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+To reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" system calls.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep chmod
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return audit rules for the "chmod", "fchmod", and "fchmodat" syscalls or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The "-k" allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010334The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100739SV-109843CCI-000172Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+To reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep 'open\|truncate\|creat'
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+
+If the command does not return audit rules for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The "-k" allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010340The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109855V-100751CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "sudo" command.
+
+Check the configured audit rules with the following command:
+
+# sudo auditctl -l | grep /usr/bin/sudo
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010341The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100753SV-109857CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules":
+
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "sudoedit" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep /usr/bin/sudoedit
+
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010342The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109859V-100755CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chsh" command.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep chsh
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010343The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100757SV-109861CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "newgrp" command occur.
+
+Check the configured audit rules with the following commands:
+
+# sudo auditctl -l | grep newgrp
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010344The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100759SV-109863CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chcon" command occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep chcon
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010345The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100761SV-109865CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "apparmor_parser" command occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep apparmor_parser
+
+-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010346The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109867V-100763CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "setfacl" command occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep setfacl
+
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010347The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100765SV-109869CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chacl" command occur.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep chacl
+
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010348The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109871V-100767CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command.
+
+Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --load
+Verify that an audit event is generated for any successful/unsuccessful use of the "passwd" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w passwd
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010349The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100769SV-109873CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w unix_update
+
+-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010350The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109875V-100771CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the gpasswd command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w gpasswd
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010351The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109877V-100773CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "chage" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w chage
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010352The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109879V-100775CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "usermod" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w usermod
+
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010353The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100917SV-110021CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "crontab" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w crontab
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-18-010354The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100777SV-109881CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep -w pam_timestamp_check
+
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
+
+If the command does not return a line that matches the example or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>UBTU-18-010358The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.<VulnDiscussion>In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.
+
+Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
+
+Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109889V-100785CCI-002233CCI-002234Configure the Ubuntu operating system to audit the execution of all privileged functions.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system audits the execution of privilege functions by auditing the "execve" system call.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep execve
+
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000468-GPOS-00212<GroupDescription></GroupDescription>UBTU-18-010375The Ubuntu operating system must generate audit records upon successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100797SV-109901CCI-000172Configure the audit system to generate audit events upon successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -Fauid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+To reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify the Ubuntu operating system generates audit records upon successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep 'unlink\|rename\|rmdir'
+
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+
+If the command does not return audit rules for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The "-k" allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-18-010387The Ubuntu operating system must generate records for successful/unsuccessful uses of init_module or finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109919V-100815CCI-000172Configure the audit system to generate an audit event for any use of the "init_module" or "finit_module" system calls.
+
+Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file:
+
+-a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
+-a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the "init_module" and "finit_module" syscalls, by running the following command:
+
+# sudo auditctl -l | grep -E 'init_module|finit_module'
+
+-a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
+-a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-18-010388The Ubuntu operating system must generate records for successful/unsuccessful uses of delete_module syscall and when unloading dynamic kernel modules.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000471-GPOS-00216</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100817SV-109921CCI-000172Configure the Ubuntu operating system to generate an audit event for any use of the delete_module system call.
+
+Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file.
+
+-a always,exit -F arch=b32 -S delete_module -F key=modules
+-a always,exit -F arch=b64 -S delete_module -F key=modules
+
+Notes: For 32-bit architectures, only the 32-bit specific entries are required.
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the "delete_module" syscall, by running the following command:
+
+# sudo auditctl -l | egrep delete_module
+
+-a always,exit -F arch=b64 -S delete_module -F key=modules
+-a always,exit -F arch=b32 -S delete_module -F key=modules
+
+If the command does not return lines that match the example or the lines are commented out, this is a finding.
+
+Notes:
+For 32-bit architectures, only the 32-bit specific output lines from the commands are required.
+The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-18-010389The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100819SV-109923CCI-000172Configure the Ubuntu operating system to audit the execution of the module management program "modprobe".
+
+Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file.
+
+-w /sbin/modprobe -p x -k modules
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the execution of the module management program "modprobe", by running the following command:
+
+sudo auditctl -l | grep "/sbin/modprobe"
+
+-w /sbin/modprobe -p x -k modules
+
+If the command does not return a line, or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-18-010391The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109925V-100821CCI-000172Configure the Ubuntu operating system to audit the execution of the module management program "kmod".
+
+Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file.
+
+-w /bin/kmod -p x -k modules
+
+Note:
+The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the execution of the module management program "kmod".
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep kmod
+
+-w /bin/kmod -p x -k module
+
+If the command does not return a line, or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-18-010392The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100823SV-109927CCI-000172Configure the Ubuntu operating system to audit the execution of the partition management program "fdisk".
+
+Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file.
+
+-w /sbin/fdisk -p x -k fdisk
+
+Note: The root account must be used to view and/or edit any files in the /etc/audit/rules.d/ directory.
+
+In order to reload the rules file, issue the following command:
+
+# sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the execution of the partition management program "fdisk".
+
+Check the currently configured audit rules with the following command:
+
+# sudo auditctl -l | grep fdisk
+
+-w /sbin/fdisk -p x -k fdisk
+
+If the command does not return a line, or the line is commented out, this is a finding.
+
+Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>UBTU-18-010400The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.<VulnDiscussion>Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100825SV-109929CCI-000054Configure the Ubuntu operating system to limit the number of concurrent sessions to ten for all accounts and/or account types.
+
+Add the following line to the top of the /etc/security/limits.conf:
+
+* hard maxlogins 10Verify that the Ubuntu operating system limits the number of concurrent sessions to ten for all accounts and/or account types by running the following command:
+$ grep maxlogins /etc/security/limits.conf
+
+The result must contain the following line:
+* hard maxlogins 10
+
+If the "maxlogins" item is missing, or the value is not set to 10 or less, or is commented out, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>UBTU-18-010401The Ubuntu operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Ubuntu operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100827SV-109931CCI-000056Configure the Ubuntu operating system so that it allows a user to lock the current graphical user interface session.
+
+Note: If the Ubuntu operating system does not have a Graphical User Interface installed, this requirement is Not Applicable.
+
+Set the ""lock-enabled"" setting to allow graphical user interface session locks with the following command:
+
+# sudo gsettings set org.gnome.desktop.screensaver lock-enabled trueVerify the Ubuntu operation system has a graphical user interface session lock enabled.
+
+Note: If the Ubuntu operating system does not have a Graphical User Interface installed, this requirement is Not Applicable.
+
+Get the ""lock-enabled"" setting to verify if the graphical user interface session has the lock enabled with the following command:
+
+# sudo gsettings get org.gnome.desktop.screensaver lock-enabled
+
+true
+
+If "lock-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>UBTU-18-010402The Ubuntu operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the Ubuntu operating system need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109933V-100829CCI-000057Configure the Ubuntu operating system to initiate a session logout after a 15-minute period of inactivity.
+
+Create a file to contain the system-wide session auto logout script (if it does not already exist) with the following command:
+
+# sudo touch /etc/profile.d/autologout.sh
+
+Add the following lines to the "/etc/profile.d/autologout.sh" script:
+
+TMOUT=900
+readonly TMOUT
+export TMOUTVerify the Ubuntu operating system initiates a session logout after a 15-minute period of inactivity.
+
+Check that the proper auto logout script exists with the following command:
+
+# cat /etc/profile.d/autologout.sh
+TMOUT=900
+readonly TMOUT
+export TMOUT
+
+If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.SRG-OS-000030-GPOS-00011<GroupDescription></GroupDescription>UBTU-18-010403The Ubuntu operating system must be configured for users to directly initiate a session lock for all connection types.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, the Ubuntu operating system need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
+
+Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100831SV-109935CCI-000058CCI-000060Install the "vlock" (if it is not already installed) package by running the following command:
+
+# sudo apt-get install vlockVerify the Ubuntu operating system has the 'vlock' package installed, by running the following command:
+
+# dpkg -l | grep vlock
+
+If "vlock" is not installed, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>UBTU-18-010410The Ubuntu operating system must monitor remote access methods.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109939V-100835CCI-000067Configure the Ubuntu operating system to monitor all remote access methods by adding the following lines to the "/etc/rsyslog.d/50-default.conf" file:
+
+auth.*,authpriv.* /var/log/secure
+daemon.* /var/log/messages
+
+In order for the changes to take effect the "rsyslog" service must be restarted with the following command:
+
+$ sudo systemctl restart rsyslog.serviceVerify that the Ubuntu operating system monitors all remote access methods.
+
+Check that remote access methods are being logged by running the following command:
+
+$ grep -E -r '^(auth,authpriv\.\*|daemon\.\*)' /etc/rsyslog.*
+/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log
+/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages
+
+If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>UBTU-18-010411The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
+
+By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109941V-100837CCI-000068Configure the Ubuntu operating system to allow the SSH daemon to only implement DoD-approved encryption.
+
+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+# sudo systemctl restart sshd.serviceVerify the SSH daemon is configured to only implement DoD-approved encryption.
+
+Check the SSH daemon's current configured ciphers by running the following command:
+
+# grep -E '^Ciphers ' /etc/ssh/sshd_config
+
+Ciphers aes256-ctr,aes192-ctr, aes128-ctr
+
+If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.
+SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>UBTU-18-010412The Ubuntu operating system must enforce SSHv2 for network access to all accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack.
+
+An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
+
+A privileged account is any information system account with authorizations of a privileged user.
+
+Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
+
+Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100839SV-109943CCI-001941CCI-001942Configure the Ubuntu operating system to enforce SSHv2 for network access to all accounts.
+
+Add or update the following line in the "/etc/ssh/sshd_config" file:
+
+Protocol 2
+
+Restart the ssh service.
+
+# systemctl restart sshd.serviceVerify that the Ubuntu operating system enforces SSH protocol 2 for network access.
+
+Check the protocol versions that SSH allows with the following command:
+
+# grep Protocol /etc/ssh/sshd_config
+
+Protocol 2
+
+If the returned line allows for use of protocol "1", is commented out, or the line is missing, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>UBTU-18-010414The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.<VulnDiscussion>Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100841SV-109945CCI-000877Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions.
+
+Add or modify the following line to /etc/ssh/sshd_config
+
+UsePAM yesVerify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance.
+
+Check that "UsePAM" is set to yes in /etc/ssh/sshd_config:
+
+# grep UsePAM /etc/ssh/sshd_config
+
+UsePAM yes
+
+If "UsePAM" is not set to "yes", this is a finding.SRG-OS-000126-GPOS-00066<GroupDescription></GroupDescription>UBTU-18-010415The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.
+
+Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.
+
+Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
+
+This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100843SV-109947CCI-000879Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity.
+
+Modify or append the following line in the "/etc/ssh/sshd_config" file replacing "[Count]" with a value of 1:
+
+ClientAliveCountMax 1
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+# sudo systemctl restart sshd.serviceVerify that all network connections associated with SSH traffic automatically terminate after a period of inactivity.
+
+Check that "ClientAliveCountMax" variable is set in "/etc/ssh/sshd_config" file by performing the following command:
+
+# sudo grep -i clientalivecountmax /etc/ssh/sshd_config
+
+ClientAliveCountMax 1
+
+If "ClientAliveCountMax" is not set, or not set to "1", or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>UBTU-18-010416The Ubuntu operating system must automatically terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.
+
+Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.
+
+Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+
+Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
+
+Satisfies: SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100845SV-109949CCI-001133CCI-002361Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10 minute period of inactivity.
+
+Modify or append the following line in the "/etc/ssh/sshd_config" file replacing "[Interval]" with a value of "600" or less:
+
+ClientAliveInterval 600
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+# sudo systemctl restart sshd.serviceVerify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.
+
+Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command:
+
+# sudo grep -i clientalive /etc/ssh/sshd_config
+
+ClientAliveInterval 600
+
+If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>UBTU-18-010417The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.
+
+Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100847SV-109951CCI-001453CCI-002890CCI-003123Configure the Ubuntu operating system to allow the SSH daemon to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved ciphers.
+
+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+MACs hmac-sha2-512,hmac-sha2-256
+
+In order for the changes to take effect, reload the SSH daemon.
+
+# sudo systemctl reload sshd.serviceVerify the Ubuntu operating system configures the SSH daemon to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved ciphers.
+
+Check that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command:
+
+# sudo grep -i macs /etc/ssh/sshd_config
+
+MACs hmac-sha2-512,hmac-sha2-256
+
+If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, or the returned line is commented out, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>UBTU-18-010420The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109953V-100849CCI-002418CCI-002420CCI-002421CCI-002422Install the "ssh" meta-package on the system with the following command:
+
+# sudo apt install ssh
+
+Enable the "ssh" service to start automatically on reboot with the following command:
+
+# sudo systemctl enable sshd.service
+
+Ensure that the "ssh" service is running.
+
+# sudo systemctl start sshd.serviceCheck that the ssh package is installed with the following command:
+
+# sudo dpkg -l | grep openssh
+ii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access to remote machines
+ii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server, for secure access from remote machines
+ii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
+
+If the "openssh" server package is not installed, this is a finding.
+
+Check that the "sshd.service" is loaded and active with the following command:
+
+# sudo systemctl status sshd.service | egrep -i "(active|loaded)"
+ Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
+ Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 weeks 3 days ago
+
+If "sshd.service" is not active or loaded, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>UBTU-18-010424The Ubuntu operating system must not allow unattended or automatic login via ssh.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109955V-100851CCI-000366Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system.
+
+Add or edit the following lines in the "/etc/ssh/sshd_config" file:
+
+PermitEmptyPasswords no
+PermitUserEnvironment no
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+# sudo systemctl restart sshd.serviceVerify that unattended or automatic login via ssh is disabled.
+
+Check that unattended or automatic login via ssh is disabled with the following command:
+
+# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config
+
+PermitEmptyPasswords no
+PermitUserEnvironment no
+
+If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are missing completely, or they are commented out, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>UBTU-18-010425The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
+
+A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
+
+When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.
+
+This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
+
+Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100853SV-109957CCI-000185CCI-001991Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor.
+
+Determine which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and ensure "ca" is enabled in "cert_policy".
+
+Add or update the "cert_policy" to ensure "ca" is enabled:
+
+cert_policy = ca,signature,ocsp_on;
+
+If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".Verify the Ubuntu operating system, for PKI-based authentication, had valid certificates by constructing a certification path to an accepted trust anchor.
+
+Check which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and then ensure "ca" is enabled in "cert_policy" with the following command:
+
+# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca
+
+cert_policy = ca,signature,ocsp_on;
+
+If "cert_policy" is not set to "ca", or the line is commented out, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>UBTU-18-010426The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109959V-100855CCI-000187Install libpam-pkcs11 package on the system.
+
+Set use_mappers=pwent in /etc/pam_pkcs11/pam_pkcs11.conf
+
+If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".Verify the Ubuntu operating system has the "libpam-pkcs11" package installed, by running the following command:
+
+ # dpkg -l | grep libpam-pkcs11
+
+If "libpam-pkcs11" is not installed, this is a finding.
+
+Check if use_mappers is set to pwent in /etc/pam_pkcs11/pam_pkcs11.conf file
+ # grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf
+ use_mappers = pwent
+
+If "use_mappers" is not found, or is not set to "pwent", this is a finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>UBTU-18-010427The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
+
+Multifactor authentication requires using two or more factors to achieve authentication.
+
+Factors include:
+1) something a user knows (e.g., password/PIN);
+2) something a user has (e.g., cryptographic identification device, token); and
+3) something a user is (e.g., biometric).
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).
+
+The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100857SV-109961CCI-000765CCI-000766CCI-000767CCI-000768CCI-001954Configure the Ubuntu operating system to use multifactor authentication for local access to accounts.
+
+Add or update the following line in "/etc/pam.d/common-auth", placing it above any lines containing "pam_unix.so":
+
+auth [success=2 default=ignore] pam_pkcs11.soVerify the Ubuntu operating system uses multifactor authentication for local access to accounts.
+
+Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command:
+
+# grep pam_pkcs11.so /etc/pam.d/common-auth
+auth [success=2 default=ignore] pam_pkcs11.so
+
+If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>UBTU-18-010431The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Requires further clarification from NIST.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100859SV-109963CCI-001948Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages.
+
+Install the "libpam-pkcs11" package on the system with the following command:
+
+# sudo apt install libpam-pkcs11Verify the Ubuntu operating system has the packages required for multifactor authentication installed.
+
+Check for the presence of the packages required to support multifactor authentication with the following commands:
+
+# dpkg -l | grep libpam-pkcs11
+
+ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards
+
+If the "libpam-pkcs11" package is not installed, this is a finding.SRG-OS-000376-GPOS-00161<GroupDescription></GroupDescription>UBTU-18-010432The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
+
+DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100861SV-109965CCI-001953Configure the Ubuntu operating system to accept Personal Identity Verification (PIV) credentials.
+
+Install the "opensc-pkcs11" package using the following command:
+
+# sudo apt-get install opensc-pkcs11Verify the Ubuntu operating system accepts Personal Identity Verification (PIV) credentials.
+
+Check that the "opensc-pcks11" package is installed on the system with the following command:
+
+# dpkg -l | grep opensc-pkcs11
+
+ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support for PKCS#15 compatible cards
+
+If the "opensc-pcks11" package is not installed, this is a finding.SRG-OS-000377-GPOS-00162<GroupDescription></GroupDescription>UBTU-18-010434The Ubuntu operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
+
+DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109967V-100863CCI-001954Configure the Ubuntu operating system to certificate status checking for multifactor authentication.
+
+Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include ocsp_on.Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.
+
+Check that certificate status checking for multifactor authentication is implemented with the following command:
+
+# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on
+
+cert_policy = ca,signature,ocsp_on;
+
+If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.SRG-OS-000403-GPOS-00182<GroupDescription></GroupDescription>UBTU-18-010436The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
+
+The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100865SV-109969CCI-002470Add at least one DOD certificate authority to the '/usr/local/share/ca-certificates' directory, then run the 'update-ca-certificates' command.Verify the directory containing the root certificates for the Ubuntu operating system only contains certificate files for DoD PKI-established certificate authorities by iterating over all files in the '/etc/ssl/certs' directory and checking if, at least one, has the subject matching "DOD ROOT CA".
+
+If none is found, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>UBTU-18-010437Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
+
+Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-0012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100867SV-109971CCI-002165CCI-002235Configure the Ubuntu operating system to allow system administrators to pass information to any other Ubuntu operating system administrator or user.
+
+Install "Pam_Apparmor" (if it is not installed) with the following command:
+
+# sudo apt-get install libpam-apparmor
+
+Enable/Activate "Apparmor" (if it is not already active) with the following command:
+
+# sudo systemctl enable apparmor.service
+
+Start "Apparmor" with the following command:
+
+# sudo systemctl start apparmor.service
+
+Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.Verify that the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user.
+
+Check that "Pam_Apparmor" is installed on the system with the following command:
+
+# dpkg -l | grep -i apparmor
+
+ii libpam-apparmor 2.10.95-0Ubuntu2.6
+
+If the "Pam_Apparmor" package is not installed, this is a finding.
+
+Check that the "AppArmor" daemon is running with the following command:
+
+# systemctl status apparmor.service | grep -i active
+
+If something other than "Active: active" is returned, this is a finding.
+
+Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>UBTU-18-010441The Ubuntu operating system must be configured to use AppArmor.<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.
+
+Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.
+
+Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109973V-100869CCI-001764Install "Apparmor" (if it is not installed) with the following command:
+
+# sudo apt-get install apparmor
+
+# sudo systemctl enable apparmor.service
+
+Start "Apparmor" with the following command:
+
+# sudo systemctl start apparmor.service
+
+Note: Apparmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the "Apparmor" documentation for more information on configuring profiles.Verify the operating system prevents program execution in accordance with local policies.
+
+Check that apparmor is installed and active by running the following command:
+
+# dpkg -l | grep apparmor
+
+If the "apparmor" package is not installed, this is a finding.
+
+#systemctl is-active apparmor.service
+
+active
+
+If "active" is not returned, this is a finding.
+
+#systemctl is-enabled apparmor.service
+
+enabled
+
+If "enabled" is not returned, then this is a finding.SRG-OS-000370-GPOS-00155<GroupDescription></GroupDescription>UBTU-18-010442The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.
+
+Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.
+
+Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100871SV-109975CCI-001774Configure the Ubuntu operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
+
+Install "Apparmor" (if it is not installed) with the following command:
+
+# sudo apt-get install apparmor
+
+Enable "Apparmor" (if it is not already active) with the following command:
+
+# sudo systemctl enable apparmor.service
+
+Start "Apparmor" with the following command:
+
+# sudo systemctl start apparmor.service
+
+Note: Apparmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the "Apparmor" documentation for more information on configuring profiles.Verify that the Ubuntu operating system is configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and access to user home directories.
+
+Check that "Apparmor" is configured to employ application whitelisting and home directory access control with the following command:
+
+# sudo apparmor_status
+
+apparmor module is loaded.
+17 profiles are loaded.
+17 profiles are in enforce mode.
+ /sbin/dhclient
+ /usr/bin/lxc-start
+ ...
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+
+If the defined profiles do not match the organization's list of authorized software, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>UBTU-18-010444The Ubuntu operating system must uniquely identify interactive users.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+
+1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+
+2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+
+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109977V-100873CCI-000764CCI-000804Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.Verify that the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users.
+
+Check that the Ubuntu operating system contains no duplicate UIDs for interactive users with the following command:
+
+# awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
+
+If output is produced, and the accounts listed are interactive user accounts, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>UBTU-18-010445The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+
+Ubuntu operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109979V-100875CCI-000795Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity since the password expiration.
+
+Run the following command to change the configuration for adduser:
+
+# sudo useradd -D -f 35
+
+Note: DoD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires.Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command:
+
+Check the account inactivity value by performing the following command:
+
+# sudo grep INACTIVE /etc/default/useradd
+
+INACTIVE=35
+
+If "INACTIVE" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>UBTU-18-010447The Ubuntu operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors.
+
+Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.
+
+The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109981V-100877CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command:
+
+ $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours.
+
+For every existing temporary account, run the following command to obtain its account expiration information:
+
+ $ sudo chage -l <temporary_account_name> | grep -i "account expires"
+
+Verify each of these accounts has an expiration date set within 72 hours.
+If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>UBTU-18-010448The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109983V-100879CCI-000366Configure the system to define the default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below:
+
+UMASK 077Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Check that the Ubuntu operating system defines default permissions for all authenticated users with the following command:
+
+# grep -i "umask" /etc/login.defs
+
+UMASK 077
+
+If the "UMASK" variable is set to "000", this is a finding with the severity raised to a CAT I.
+
+If the value of "UMASK" is not set to "077", "UMASK" is commented out or "UMASK" is missing completely, this is a finding.SRG-OS-000002-GPOS-00002<GroupDescription></GroupDescription>UBTU-18-010449The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
+
+Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
+
+If temporary accounts are used, the Ubuntu operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.
+
+To address access requirements, the Ubuntu operating system may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109985V-100881CCI-000016If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created.
+
+# sudo chage -E $(date -d "+3 days" +%F) system_account_nameVerify the Ubuntu operating system expires temporary user accounts within 72 hours or less.
+
+For every existing temporary account, run the following command to obtain its account expiration information.
+
+# sudo chage -l system_account_name | grep expires
+
+Password expires : Aug 07, 2019
+Account expires : Aug 07, 2019
+
+Verify each of these accounts has an expiration date set within 72 hours of accounts' creation.
+If any temporary account does not expire within 72 hours of that account's creation, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>UBTU-18-010500The Ubuntu operating system must be configured to use TCP syncookies.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+
+Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109987V-100883CCI-001095Configure the Ubuntu operating system to use TCP syncookies, by running the following command:
+
+# sudo sysctl -w net.ipv4.tcp_syncookies=1
+
+If "1" is not the system's default value then add or update the following line in "/etc/sysctl.conf":
+
+net.ipv4.tcp_syncookies = 1Verify the Ubuntu operating system is configured to use TCP syncookies.
+
+Check the value of TCP syncookies with the following command:
+
+# sysctl net.ipv4.tcp_syncookies
+net.ipv4.tcp_syncookies = 1
+
+If the value is not "1", this is a finding.
+
+Check the saved value of TCP syncookies with the following command:
+
+# sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'
+
+If no output is returned, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>UBTU-18-010501The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+
+Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100885SV-109989CCI-001891If the system is not networked this requirement is Not Applicable.
+
+To configure the system clock to compare the system clock at least every 24 hours to the authoritative time source, edit the "/etc/chrony/chrony.conf" file. Add or correct the following lines, by replacing "[source]" in the following line with an authoritative DoD time source.
+
+server [source] iburst maxpoll = 16
+
+If the "chrony" service was running and the value of "maxpoll" or "server" was updated then the service must be restarted using the following command:
+
+# sudo systemctl restart chrony.serviceIf the system is not networked this requirement is Not Applicable.
+
+The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time source.
+
+Check the value of "maxpoll" in the "/etc/chrony/chrony.conf" file with the following command:
+
+# sudo grep maxpoll /etc/chrony/chrony.conf
+server tick.usno.navy.mil iburst maxpoll 16
+
+If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding.
+
+Verify that the "chrony.conf" file is configured to an authoritative DoD time source by running the following command:
+
+# grep -i server /etc/chrony/chrony.conf
+server tick.usno.navy.mil iburst maxpoll 16
+server tock.usno.navy.mil iburst maxpoll 16
+server ntp2.usno.navy.mil iburst maxpoll 16
+
+If the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding.SRG-OS-000356-GPOS-00144<GroupDescription></GroupDescription>UBTU-18-010502The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
+
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems).
+
+Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100887SV-109991CCI-002046Configure chrony to synchronize the internal system clocks to the authoritative source when the time difference is greater than one second by doing the following,
+
+Edit the /etc/chrony/chrony.conf file and add:
+
+makestep 1 -1
+
+Restart the chrony service,
+
+# sudo systemctl restart chrony.serviceVerify the operating system synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second.
+
+Check the value of "makestep" by running the following command:
+
+# sudo grep makestep /etc/chrony/chrony.conf
+
+makestep 1 -1
+
+If the makestep option is commented out or is not set to "1 -1", this is a finding.SRG-OS-000359-GPOS-00146<GroupDescription></GroupDescription>UBTU-18-010503The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109993V-100889CCI-001890To configure the system time zone to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), run the following command replacing [ZONE] with UTC or GMT.
+
+# sudo timedatectl set-timezone [ZONE]The time zone must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). To verify run the following command.
+
+# sudo timedatectl status | grep -i "time zone"
+Timezone: UTC (UTC, +0000)
+
+If "Timezone" is not set to UTC or GMT, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>UBTU-18-010504The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+
+The Ubuntu operating system is capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
+
+To support the requirements and principles of least functionality, the Ubuntu operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100891SV-109995CCI-000382Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:
+$ ufw allow <direction> <port/protocol/service>
+
+where the direction is 'in' or 'out' and the port is the one corresponding to the protocol or service allowed.
+
+To deny access to port, protocols or services, use:
+$ ufw deny <direction> <port/protocol/service>Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
+
+Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following commands:
+$ sudo ufw show before-rules
+$ sudo ufw show user-rules
+$ sudo ufw show after-rules
+
+Ask the system administrator for the site or program PPSM Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
+
+If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
+
+If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000184-GPOS-00078<GroupDescription></GroupDescription>UBTU-18-010505Kernel core dumps must be disabled unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-109997V-100893CCI-001190If kernel core dumps are not required, disable the "kdump" service with the following command:
+
+# systemctl disable kdump.service
+
+If kernel core dumps are required, document the need with the Information System Security Officer (ISSO).Verify that kernel core dumps are disabled unless needed.
+
+Check if "kdump" service is active with the following command:
+
+# systemctl is-active kdump.service
+inactive
+
+If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
+
+If the service is active and is not documented, this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>UBTU-18-010506The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.
+
+To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100895SV-109999CCI-001496Add or update the following selection lines to "/etc/aide/aide.conf", in order to protect the integrity of the audit tools.
+
+# Audit Tools
+/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.
+
+Check the selection lines that aide is configured to add/check with the following command:
+
+# egrep '(\/sbin\/(audit|au))' /etc/aide/aide.conf
+
+/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512
+/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
+
+If any of the seven audit tools does not have an appropriate selection line, this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>UBTU-18-010507The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
+Satisfies: SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110001V-100897CCI-000366CCI-002314Enable the Uncomplicated Firewall by using the following command:
+
+# sudo systemctl enable ufw.service
+
+If the Uncomplicated Firewall is not currently running on the system, start it with the following command:
+
+# sudo systemctl start ufw.serviceVerify the Uncomplicated Firewall is enabled on the system by running the following command:
+
+# systemctl is-enabled ufw
+
+If the above command returns the status as "disabled", this is a finding.
+
+Verify the Uncomplicated Firewall is active on the system by running the following command:
+
+# sudo systemctl is-active ufw
+
+If the above command returns 'inactive' or any kind of error, this is a finding.
+
+If the Uncomplicated Firewall is not installed ask the System Administrator if another application firewall is installed.
+
+If no application firewall is installed this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>UBTU-18-010508The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the Ubuntu operating system. Changes to Ubuntu operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
+
+Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110003V-100899CCI-001744CCI-002702Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner.
+
+Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist.Verify that Advanced Intrusion Detection Environment (AIDE) notifies the system administrator when anomalies in the operation of any security functions are discovered.
+
+Check that AIDE notifies the system administrator when anomalies in the operation of any security functions are discovered with the following command:
+
+#sudo grep SILENTREPORTS /etc/default/aide
+
+SILENTREPORTS=no
+
+If SILENTREPORTS is uncommented and set to yes, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>UBTU-18-010509The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110023V-100919CCI-001958Configure the Ubuntu operating system to disable using the USB storage kernel module.
+
+Create a file under "/etc/modprobe.d" to contain the following:
+$ sudo su -c "echo install usb-storage /bin/false >> /etc/modprobe.d/DISASTIG.conf"
+
+Configure the operating system to disable the ability to use USB mass storage devices:
+$ sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf"Note: The "install" and "blacklist" methods are utilized together to fully disable automatic mounting of the USB mass storage driver.
+
+Verify the Ubuntu operating system disables the ability to load the USB storage kernel module:
+$ grep usb-storage /etc/modprobe.d/* | grep "/bin/false"
+
+install usb-storage /bin/false
+
+If the command does not return any output, or the line is commented out, this is a finding.
+
+Verify the operating system disables the ability to use USB mass storage device:
+$ grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"
+
+blacklist usb-storage
+
+If the command does not return any output, or the line is commented out, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>UBTU-18-010512The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+
+This requirement addresses the configuration of the Ubuntu operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110005V-100901CCI-002385Configure the application firewall to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.
+
+Run the following command replacing "[service]" with the service that needs to be rate limited.
+
+$ sudo ufw limit [service]
+
+Or rate-limiting can be done on an interface. An example of adding a rate-limit on the eth0 interface:
+
+$ sudo ufw limit in on eth0Verify an application firewall is configured to rate limit any connection to the system.
+
+Check that the Uncomplicated Firewall is configured to rate limit any connection to the system with the following command:
+
+$ sudo ufw show user-rules
+
+IPV4 (user):
+
+Chain ufw-user-input (1 references)
+
+ pkts bytes target prot opt in out source destination
+
+ 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */
+
+ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
+
+
+
+Chain ufw-user-forward (1 references)
+
+ pkts bytes target prot opt in out source destination
+
+
+
+Chain ufw-user-output (1 references)
+
+ pkts bytes target prot opt in out source destination
+
+
+
+Chain ufw-user-limit-accept (0 references)
+
+ pkts bytes target prot opt in out source destination
+
+ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
+
+
+
+Chain ufw-user-limit (0 references)
+
+ pkts bytes target prot opt in out source destination
+
+ 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
+
+ 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
+
+If any service is not rate limited by the Uncomplicated Firewall, this is a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>UBTU-18-010513The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
+
+Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110007V-100903CCI-002824Configure the Ubuntu operating system to enable NX.
+
+If "nx" is not showing up in /proc/cpuinfo and the system's BIOS setup configuration permits toggling the No Execution bit, then set it to "enable".Verify the NX (no-execution) bit flag is set on the system.
+
+Check that the no-execution bit flag is set with the following commands:
+
+# dmesg | grep -i "execute disable"
+[ 0.000000] NX (Execute Disable) protection: active
+
+If "dmesg" does not show "NX (Execute Disable) protection: active", check the cpuinfo settings with the following command:
+
+# grep flags /proc/cpuinfo | grep -w nx | sort -u
+flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc
+
+If "flags" does not contain the "nx" flag, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>UBTU-18-010514The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
+
+Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110009V-100905CCI-002824Set the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file to a value of "2".
+
+After the line has been modified the kernel settings from all system configuration files must be reloaded; before any of the changes will take effect.
+
+Run the following command to reload all of the kernel system configuration files:
+
+# sudo sysctl --system
+Verify the Ubuntu operating system implements address space layout randomization (ASLR).
+
+Check that ASLR is configured on the system with the following command:
+
+# sudo sysctl kernel.randomize_va_space
+
+kernel.randomize_va_space = 2
+
+Verify the kernel parameter "randomize_va_space" is set to 2 with the following command:
+
+# cat /proc/sys/kernel/randomize_va_space
+
+2
+
+If "kernel.randomize_va_space" is not set to 2, this is a finding.
+
+Check the saved value of the kernel.randomize_va_space variable is not different from 2.
+
+# sudo egrep -R "^kernel.randomize_va_space=[^2]" /etc/sysctl.conf /etc/sysctl.d
+
+If this returns a result, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>UBTU-18-010515The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100907SV-110011CCI-002696Install AIDE, initialize it, and perform a manual check.
+
+Install AIDE:
+ $ sudo apt install aide
+
+Initialize it (this may take a few minutes):
+ $ sudo aideinit
+ Running aide --init...
+
+Example output:
+
+ Start timestamp: 2022-11-20 11:53:17 -0700 (AIDE 0.16)
+ AIDE initialized database at /var/lib/aide/aide.db.new
+ Verbose level: 6
+
+ Number of entries: 119543
+
+ ---------------------------------------------------
+ The attributes of the (uncompressed) database(s):
+ ---------------------------------------------------
+
+ /var/lib/aide/aide.db.new
+ RMD160 : PiEP1DX91JMcHnRSPnpFqNfIFr4=
+ TIGER : /zM5yQBnOIoEH0jplJE5v6S0rUErbTXL
+ SHA256 : BE2iHtBN9lEX53l4R/p7t1al0dIlsgPc
+ Lg4YI08+/Jk=
+ SHA512 : JIdGeNVRgtBPPSwun9St+9cwUrgIIKUW
+ KVTksZXJ29Tt+luC/XNDcjIub7fbPVw/
+ EcTDsvYtt9MBmBxw1wCYng==
+ CRC32 : jB2FVw==
+ HAVAL : Jhe+fqaDpkswpWSnOTN28TO05QFHsjdq
+ RcFZwCVUGTQ=
+ GOST : WFrarVyxpXbKdW9SAaOy1Te8rSodV3/q
+ nLsXuP7YujA=
+
+
+End timestamp: 2022-11-20 11:58:19 -0700 (run time: 5m 2s)
+
+The new database will need to be renamed to be read by AIDE:
+ $ sudo cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+Perform a manual check:
+ $ sudo aide.wrapper --check
+
+Example output:
+ Start timestamp: 2022-11-20 11:59:16 -0700 (AIDE 0.16)
+ AIDE found differences between database and filesystem!!
+ ...
+
+Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.
+
+Check that the AIDE package is installed with the following command:
+ $ sudo dpkg -l | grep aide
+ ii aide 0.16-3ubuntu0.1 amd64 Advanced Intrusion Detection Environment - static binary
+
+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
+
+If there is no application installed to perform integrity checks, this is a finding.
+
+If AIDE is installed, check if it has been initialized with the following command:
+ $ sudo aide.wrapper --check
+
+If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.SRG-OS-000446-GPOS-00200<GroupDescription></GroupDescription>UBTU-18-010516The Ubuntu operating system must be configured so that a file integrity tool verifies the correct operation of security functions every 30 days.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.
+
+This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055SV-110013V-100909CCI-002699The cron file for AIDE is fairly complex as it creates the report. This file is installed with the aide-common package and the default can be restored by copying it from another location:
+
+# sudo cp /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aideVerify that Advanced Intrusion Detection Environment (AIDE) performs a verification of the operation of security functions every 30 days.
+
+Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.
+
+Check that AIDE is being executed every 30 days or less with the following command:
+
+# ls -al /etc/cron.daily/aide
+
+-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide
+
+If the "/etc/cron.daily/aide" file does not exist or a cron job is not configured to run at least every 30 days, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010418The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.
+X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.
+If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+X11Forwarding no
+
+The SSH service must be restarted for changes to take effect:
+
+$ sudo systemctl restart sshdVerify that X11Forwarding is disabled with the following command:
+
+# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"
+
+X11Forwarding no
+
+If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010419The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the SSHD proxy display is configured to listen on the wildcard address. By default, SSHD binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+X11UseLocalhost yesVerify the SSH daemon prevents remote hosts from connecting to the proxy display.
+
+Check the SSH X11UseLocalhost setting with the following command:
+
+# sudo grep -i x11uselocalhost /etc/ssh/sshd_config
+X11UseLocalhost yes
+
+If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010450All local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service (DoS) because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a User ID (UID) of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd".
+
+$ sudo mkdir /home/smithj
+$ sudo chown smithj /home/smithj
+$ sudo chgrp users /home/smithj
+$ sudo chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users on the Ubuntu operating system exists.
+
+Check the home directory assignment for all local interactive non-privileged users with the following command:
+
+$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+
+smithj 1001 /home/smithj
+
+Note: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+Check that all referenced home directories exist with the following command:
+
+$ sudo pwck -r
+
+user 'smithj': directory '/home/smithj' does not exist
+
+If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010451All local interactive user home directories must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Change the mode of interactive user’s home directories to "0750". To change the mode of a local interactive user’s home directory, use the following command:
+
+Note: The example will be for the user "smithj".
+
+$ sudo chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command:
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+
+drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj
+
+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010452All local interactive user home directories must be group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
+
+$ sudo chgrp users /home/smithj
+Verify the assigned home directory of all local interactive users is group-owned by that user’s primary Group Identifier (GID).
+
+Check the home directory assignment for all non-privileged users on the system with the following command:
+
+Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.
+
+$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+
+drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj
+
+Check the user's primary group with the following command:
+
+$ sudo grep admin /etc/group
+admin:x:250:smithj,jonesj,jacksons
+
+If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.
+SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010522The Ubuntu operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands:
+
+Perform a password reset:
+
+$ sudo passwd [username]
+
+Lock an account:
+
+$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command:
+
+$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+
+If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-010523The Ubuntu operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
+
+Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.To verify that null passwords cannot be used, run the following command:
+
+$ grep nullok /etc/pam.d/common-password
+
+If this produces any output, it may be possible to log on with accounts with empty passwords.
+
+If null passwords can be used, this is a finding.SRG-OS-000481-GPOS-00481<GroupDescription></GroupDescription>UBTU-18-010521The Ubuntu operating system must disable all wireless network adapters.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system.
+
+This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055V-100913SV-110017CCI-002418Configure the system to disable all wireless network interfaces with the following command:
+
+# sudo ifdown [ADAPTER_NAME]Verify that there are no wireless interfaces configured on the system.
+
+Check that the system does not have active wireless interfaces with the following command:
+
+Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.
+
+# ifconfig -a | more
+
+eth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff
+ inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
+ ...
+
+eth1 IEEE 802.11b ESSID:"tacnet"
+ Mode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD
+ ...
+
+lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ inet6 addr: ::1/128 Scope:Host
+ ...
+
+If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>UBTU-18-010421The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.
+
+The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000068Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config":
+
+ KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+Restart the "sshd" service for changes to take effect:
+
+ $ sudo systemctl restart sshdVerify that the SSH server is configured to use only FIPS-validated key exchange algorithms:
+
+ $ sudo grep -i kexalgorithms /etc/ssh/sshd_config
+ KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>UBTU-18-010510The Ubuntu operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-001090Configure the operating system to restrict access to the kernel message buffer.
+
+Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:
+
+ kernel.dmesg_restrict = 1
+
+Remove any configurations that conflict with the above from the following locations:
+ /run/sysctl.d/
+ /etc/sysctl.d/
+ /usr/local/lib/sysctl.d/
+ /usr/lib/sysctl.d/
+ /lib/sysctl.d/
+ /etc/sysctl.conf
+
+Reload settings from all system configuration files with the following command:
+
+ $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands:
+
+ $ sudo sysctl kernel.dmesg_restrict
+ kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
+
+Check that the configuration files are present to enable this kernel parameter:
+
+ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ /etc/sysctl.conf:kernel.dmesg_restrict = 1
+ /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-18-999999The Ubuntu operating system must be a vendor supported release.<VulnDiscussion>An Ubuntu operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 18.04 LTSDISADPMS TargetCanonical Ubuntu 18.04 LTS4055CCI-000366Upgrade to a supported version of the Ubuntu operating system.Verify the version of the Ubuntu operating system is vendor supported.
+
+Check the version of the Ubuntu operating system with the following command:
+
+# cat /etc/lsb-release
+
+DISTRIB_RELEASE=18.04
+DISTRIB_CODENAME=bionic
+DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"
+
+Validate that "Extended Security Maintenance" support has been purchased from the vendor.
+If the operating system does not have a documented "Extended Security Maintenance" agreement in place, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_ForeScout_CounterACT_NDM_STIG_V1R2_Manual-xccdf.xml b/benchmarks/DISA/U_ForeScout_CounterACT_NDM_STIG_V1R2_Manual-xccdf.xml
new file mode 100644
index 000000000..c94c1cbe8
--- /dev/null
+++ b/benchmarks/DISA/U_ForeScout_CounterACT_NDM_STIG_V1R2_Manual-xccdf.xml
@@ -0,0 +1,540 @@
+acceptedForeScout CounterACT NDM Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CACT-NM-000001CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90913V-76225CCI-001133CounterACT is inherently designed to terminate upon Exit or session disconnection, thus this part of the requirement does not have a fix. To configure CounterACT to terminate the connection after "10" minutes of inactivity perform the following steps.
+
+1. On the Enterprise Manager Console.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "User In-activity Timeout" check box is selected and the associated setting is set to "10 minutes.
+
+If exceptions to this requirement are necessary based on mission requirements, document the mission requirement and validate with a signature by a designated authority.CounterACT is inherently designed to terminate upon Exit or session disconnection, thus this part of the requirement does not have to be verified. To verify the device is configured to terminate management sessions after "10" minutes of inactivity, verify the timeout value is configured.
+
+1. On the Enterprise Manager Console.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "User Inactivity Timeout" check box is selected and the associated setting is set to "10" minutes.
+
+If applicable, verify exceptions to this requirement are documented and signed.
+
+If Counteract does not terminate the connection associated with an Enterprise Manager Console at the end of the session or after "10" minutes of inactivity, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CACT-NM-000002CounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90915V-76227CCI-001133CounterACT is inherently designed to terminate upon Exit or session disconnection, thus this part of the requirement does not have a fix. To configure CounterACT to terminate the connection after "10" minutes of inactivity perform the following steps.
+
+1. On the Enterprise Manager Console.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "User In-activity Timeout" check box is selected and the associated setting is set to "10" minutes.
+
+If exceptions to this requirement are necessary based on mission requirements, document the mission requirement and validate with a signature by a designated authority.CounterACT is inherently designed to terminate upon Exit or session disconnection, thus this part of the requirement does not have to be verified. To verify the device is configured to terminate management sessions after "10" minutes of inactivity, verify the timeout value is configured.
+
+1. On the Enterprise Manager Console.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "User Inactivity Timeout" check box is selected and the associated setting is set to "10" minutes.
+
+If applicable, verify exceptions to this requirement are documented and signed.
+
+If Counteract does not terminate the connection associated with an Enterprise Manager Console at the end of the session or after "10" minutes of inactivity, this is a finding.SRG-APP-000231-NDM-000271<GroupDescription></GroupDescription>CACT-NM-000003CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.<VulnDiscussion>This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device.
+
+Files on the network device or on removable media used by the device must have their permissions set to allow read or write access to those accounts that are specifically authorized to access or change them. Note that different administrative accounts or roles will have varying levels of access.
+
+File permissions must be set so that only authorized administrators can read or change their contents. Whenever files are written to removable media and the media is removed from the device, the media must be handled appropriately for the classification and sensitivity of the data stored on the device.
+
+Flash drive usage must comply with DoD external storage and flash drive policy which includes permission to use and malware verification processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90917V-76229CCI-001199Set the file permissions on files on CounterACT or on removable media used by the device so that only authorized administrators can read or change their contents. This is completed by limiting access to SUDO accounts and command line admin accounts.
+
+1. Review accounts with update privileges to CounterACT appliance configuration by selecting Tools >> Options >> Console User Profiles.
+2. Select a user to edit.
+3. Select the "Permissions" tab.
+4. Ensure the "CounterACT Appliance Configuration" and "CounterACT Appliance Control" radio buttons are set to "View only".List the contents of CounterACT’s local storage, including any drives supporting removable media (such as flash drives), and check the file permissions of all files on those drives.
+
+1. Log on to the SSH command line interface of a CounterACT Enterprise Manager (EM) or CounterACT appliance using standard admin privilege.
+2. At the command prompt, type:
+cd /
+(To narrow the search to a specific LINUX directory, replace the / with the full pathname of the directory to be searched.)
+3. Use the following command to review file permissions:
+ls- la
+
+If any files allow read or write access by accounts not specifically authorized access or access using non-privileged accounts, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000005CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.
+
+This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, in near real time, within minutes, or within hours.
+
+The individuals or roles to change the auditing are dependent on the security configuration of the network device. For example, it may be configured to allow only some administrators to change the auditing, while other administrators can review audit logs but not reconfigure auditing. Because this capability is so powerful, organizations should be extremely cautious about only granting this capability to fully authorized security personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90931V-76243CCI-001914CCI-000366Configure CounterACT to restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrator's role or to other roles or individuals.
+
+Apply the following configuration changes:
+
+1. Open the CounterACT Administrator Console and log on with admin or operator credentials.
+2. Select Tools >> Options >> Console User Profiles.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
+4. Review the "Permissions" tab and ensure the following "update" radio check boxes are enabled: Action Thresholds, CounterACT Appliance Configuration, and Enterprise Manager Control.Determine if CounterACT restricts the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrator's role or to other roles or individuals.
+
+This requirement may be verified by configuration review or demonstration.
+
+1. Open the CounterACT Administrator Console and log on with admin or operator credentials.
+2. Select Tools >> Options >> Console User Profiles.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
+4. Review the "Permissions" tab and verify the following "update" radio check boxes are enabled: Action Thresholds, CounterACT Appliance Configuration, and Enterprise Manager Control.
+
+If CounterACT does not provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>CACT-NM-000007CounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the application include date and time. Time is expressed in UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90927V-76239CCI-001890Configure CounterACT to record time stamps for audit records that can be mapped to UTC.
+
+Note: Updating time preferences will force CounterACT into maintenance mode. Use a scheduled outage for planned maintenance and stop CounterACT service prior to adjusting time settings.
+
+1. After logon, type the following command at the prompt using the IP address of the required NTP server:
+fstool ntp <ip address>
+2. Ensure the date references accurate time and the time zone points to UTC next to the year.Determine if CounterACT records time stamps for audit records that can be mapped to UTC. This requirement may be verified by demonstration or configuration review.
+
+Verify by connecting to the appliance via SSH using standard user/operator privilege.
+
+1. After logon, type the following command at the prompt using the IP address of the configured NTP server:
+fstool ntp test <ip address>
+2. Verify the date references accurate time and the time zone points to UTC next to the year.
+
+If CounterACT does not record time stamps for audit records that can be mapped to UTC, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000009CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B.<VulnDiscussion>CJCSM 6510.01B, "Cyber Incident Handling Program", in subsection e.(6)(c) sets forth requirements for Cyber events detected by an automated system.
+
+By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90905V-76217CCI-000366CCI-001274Enable and configure Threat Protection notifications.
+
+1. Select Tools >> Options >> Threat Protection.
+2. At the bottom of the Threat Protection pane, select "Customer" and then select the "Notify" tab.
+3. Modify the Maximum emails per day to "15" and infected host notification to 1 hour.Verify Threat Protection notifications are enabled and configured.
+
+1. Select Tools >> Options >> Threat Protection.
+2. At the bottom of the Threat Protection pane, select "Customer" and then select the "Notify" tab.
+3. Verify the Maximum emails per day is set to "15" and infected host notification is set to 1 hour.
+
+If CounterACT does not enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B, this is a finding.SRG-APP-000516-NDM-000334<GroupDescription></GroupDescription>CACT-NM-000010CounterACT must generate audit log events for a locally developed list of auditable events.<VulnDiscussion>Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90895V-76207CCI-000366Configure CounterACT to generate audit log events for a locally developed list of auditable events.
+
+1. Open the CounterACT Console.
+2. Select Tools >> Options >> Plugin.
+3. Select the Syslog Plugin.
+4. Select CounterACT or the Enterprise Manager appliance you would like to verify.
+5. Ensure additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".Determine if CounterACT generates audit log events for a locally developed list of auditable events.
+
+1. Open the CounterACT Console.
+2. Select Tools >> Options >> Plugin.
+3. Select the Syslog Plugin.
+4. Select CounterACT or the Enterprise Manager appliance you would like to verify.
+5. Verify additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".
+
+If CounterACT is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.SRG-APP-000516-NDM-000335<GroupDescription></GroupDescription>CACT-NM-000011CounterACT must enforce access restrictions associated with changes to the system components.<VulnDiscussion>Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90893V-76205CCI-000345CCI-000366Configure CounterACT to enforce access restrictions associated with changes to the system components.
+
+1. Log on to the CounterACT Administrator UI with admin or operator credentials.
+2. From the menu, select Tools >> Options >> User Console and Options.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
+4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "CounterACT Appliance Configuration".Check CounterACT to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators.
+
+1. Log on to the CounterACT Administrator UI with admin or operator credentials.
+2. From the menu, select Tools >> Options >> User Console and Options.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
+4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "CounterACT Appliance Configuration".
+
+If unauthorized users are allowed to change the hardware or software, this is a finding.SRG-APP-000516-NDM-000336<GroupDescription></GroupDescription>CACT-NM-000012Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).<VulnDiscussion>The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which leads to delays in remediating production problems and addressing compromises in a timely fashion.
+
+Administrative accounts for network device management must be configured on the authentication server and not the network device itself. This requirement does not apply to the account of last resort.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90949V-76261CCI-000366CCI-000370Remove accounts that are not authorized. Do not remove the account of last resort.
+
+1. Log on to the CounterACT Administrator UI with admin or operator credentials.
+2. From the menu, select Tools >> Options >> User Console and Options.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Remove".
+4. Remove external group membership, individual users on the Directory service.Review the CounterACT configuration to determine if administrative accounts for device management exist on the device other than the account of last resort and root account.
+
+1. Log on to the CounterACT Administrator UI with admin or operator credentials.
+2. From the menu, select Tools >> Options >> User Console and Options.
+3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
+4. Verify each user profile is for an approved administrator.
+5. Verify each external LDAP group account profile by verifying on the trusted external directory group membership.
+
+If any administrative accounts other than the account of last resort and root account exist on the device, this is a finding.SRG-APP-000516-NDM-000340<GroupDescription></GroupDescription>CACT-NM-000013CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.<VulnDiscussion>System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who use this critical network component.
+
+This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90897V-76209CCI-000366CCI-000537Configure CounterACT to generate audit log events for a locally developed list of auditable events.
+
+1. Open the CounterACT Console.
+2. Select Tools >> Options >> Plugin.
+3. Select the Syslog Plugin.
+4. Select CounterACT or the Enterprise Manager appliance you would like to verify.
+5. Ensure additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".Check CounterACT to determine if the network device is configured to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
+
+1. Open CounterACT Console and select Tools >> Options.
+2. Select the "+" next to "Advanced" menu (toward the bottom).
+3. Select the “Backup” submenu.
+4. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected.
+5. Verify the Backup schedule is selected to at least "weekly".
+
+If CounterACT does not support the organizational requirements to conduct backups of system-level data according to the defined frequency, this is a finding.SRG-APP-000516-NDM-000341<GroupDescription></GroupDescription>CACT-NM-000014CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.<VulnDiscussion>Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur.
+
+This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90899V-76211CCI-000366CCI-000539Configure CounterACT to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
+
+1. Open the CounterACT Console and select Tools >> Options.
+2. Select the "+" next to "Advanced" menu (toward the bottom).
+3. Select the “Backup” submenu.
+4. On the “System Backup” tab, ensure the "Enable System Backup" radio button is selected.
+5. Ensure the Backup schedule is selected to at least "weekly".Review the CounterACT backup configuration to determine if the network device backs up the information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
+
+1. Open the CounterACT Console and select Tools >> Options.
+2. Select the "+" next to "Advanced" menu (toward the bottom).
+3. Select the “Backup” submenu.
+4. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected.
+5. Verify the Backup schedule is selected to at least "weekly".
+
+If the network device does not back up the information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>CACT-NM-000015CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.<VulnDiscussion>For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90901V-76213CCI-000366CCI-001159Configure CounterACT to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
+
+Reference CounterACT Admin Manual and Appendix 1: Command line tools and subsection "Generating CSRs and importing signed certificates" for more detail on requesting a signed certificate.Determine if CounterACT obtains public key certificates from an appropriate certificate policy through an approved service provider.
+
+To review the Web server certificate presented for captive portal/authentication:
+
+1. Open a command line SSH to CounterACT appliance or Enterprise Manager.
+2. Run the following command:
+>fstool cert test
+3. Verify all Web server certificate(s) are printed and reviewable.
+4. Verify the signing authority is from an approved certificate authority.
+
+If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>CACT-NM-000016CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.<VulnDiscussion>For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90903V-76215CCI-000366CCI-001159Configure CounterACT to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
+
+Reference CounterACT 802.1x Plugin guide/help manual under Certificate Request process for additional details on the signing process.Determine if CounterACT obtains public key certificates from an appropriate certificate policy through an approved service provider.
+
+1. Open a command line SSH to CounterACT appliance or Enterprise Manager.
+2. Run the following command:
+>fstool dot1x cert print <pathname/filename> for the local server certificate (/usr/local/forescout/etc/dot1x/certs.production/server.pem)
+3. Verify the signing authority is from an approved certificate authority.
+
+If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.SRG-APP-000065-NDM-000214<GroupDescription></GroupDescription>CACT-NM-000020For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.
+
+Nonlocal account are configured on the authentication server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90881V-76193CCI-000044Configure CounterACT or its associated authentication server to enforce the limit of three consecutive invalid logon attempts by a user during a "15" minute time period.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "Lock account after" radio button is selected.
+4. Ensure that "3" password failures for "15" minutes is configured.Determine if CounterACT is configured either to enforce the limit of three consecutive invalid logon attempts by a user during a "15" minute time period or to use an authentication server that would perform this function.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "Lock account after" radio button is selected.
+4. Verify that "3" password failures for "15" minutes is configured.
+
+If the limit of three consecutive invalid logon attempts by a user during a "15" minute time period is not enforced, this is a finding.SRG-APP-000068-NDM-000215<GroupDescription></GroupDescription>CACT-NM-000021CounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.<VulnDiscussion>Display of the DoD-approved use notification before granting access to CounterACT ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90883V-76195CCI-0000481. Log on to the CounterACT Administrator UI.
+2. Select Tools >> Options >> User Console and Options >> Password and Login.
+3. Enable "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner before granting access to the device. This banner must include the following text:
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+
+4. Select "Apply" to save the settings.1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Enable "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner appear before granting access to the device. This banner must include the following text:
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+
+If this is not present, this is a finding.SRG-APP-000069-NDM-000216<GroupDescription></GroupDescription>CACT-NM-000022CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.<VulnDiscussion>The administrator must acknowledge the banner prior to CounterACT allowing the administrator access to CounterACT. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DoD will not be in compliance with system use notifications required by law.
+
+To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement.
+
+In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, and then entering the password is also acceptable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90945V-76257CCI-000050Configure CounterACT to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the options for logon banner "require confirmation" is selected.Verify CounterACT retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the options for the logon banner "require confirmation" is selected.
+
+If CounterACT does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000023If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited.<VulnDiscussion>Protection of log data includes ensuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to ensure, in the event of a catastrophic system failure, the audit records will be retained.
+
+This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.
+
+This requirement can be met by using of a syslog/audit log server if the device is configured to send logs to that server.
+
+Backup requirements would be levied on the target server but are not a part of this check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90919V-76231CCI-001348CCI-000366Configure CounterACT to back up locally stored audit records on the Enterprise Manager or the appliances at least every seven days onto a different system or system component than the system or component being audited.
+
+1. Open the CounterACT Console and select Tools >> Options.
+2. Select the "+" next to "Advanced" menu (toward the bottom).
+3. Select the “Backup” submenu.
+4. On the "System Backup" tab, ensure the "Enable System Backup" radio button is selected.
+5. Ensure the Backup schedule is selected to at least "weekly".
+6. On the "Backup Server" tab, verify an external backup server is configured with SFTP or SCP (and appropriate port/protocol requirements).If all audit logs for the Enterprise Manager and appliances are sent to an audit log, this is not a finding.
+
+Determine if CounterACT backs up local logs on the Enterprise Manager or appliances at least every seven days onto a different system or system component than the system or component being audited. This requirement may be verified by configuration review.
+
+1. Open the CounterACT Console and select Tools >> Options.
+2. Select the "+" next to "Advanced" menu (toward the bottom).
+3. Select the “Backup” submenu.
+4. On the "System Backup" tab, verify the "Enable System Backup" radio button is selected.
+5. Verify the Backup schedule is selected to at least "weekly".
+6. On the "Backup Server" tab, verify an external backup server is configured with SFTP or SCP (and appropriate port/protocol requirements).
+
+If the network device does not back up audit records at least every seven days onto a different system or system component than the system or component being audited, this is a finding.SRG-APP-000133-NDM-000244<GroupDescription></GroupDescription>CACT-NM-000024CounterACT must limit privileges to change the software resident within software libraries.<VulnDiscussion>Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If CounterACT were to enable unauthorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90921V-76233CCI-001499Configure CounterACT to prevent access to change the software resident within software libraries for unauthorized personnel.
+
+1. Log on to the CounterACT Console and select Tools >> Options >> Console User Profiles.
+2. Select the non-privileged user profiles and then select "Edit".
+3. Verify the users do not have the "Plugin Management" and "Software Upgrade" options selected.Ask if there are users defined in CounterACT that are not authorized to change the software libraries.
+
+Verify that Administrator privileges have been restricted for these users.
+
+This is verified by reviewing the administrator account profiles and auditing the assigned privilege for updated CounterACT software.
+
+1. Log on to the CounterACT Console and select Tools >> Options >> Console User Profiles.
+2. Select the non-privileged user profiles and then select "Edit".
+3. Verify the users do not have the "Plugin Management" and "Software Upgrade" options selected.
+
+If CounterACT is not configured to limit privileges to change the software resident within software libraries for unauthorized users, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CACT-NM-000025CounterACT must disable all unnecessary and/or nonsecure plugins.<VulnDiscussion>CounterACT is capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
+
+If the 802.1x plugin is installed and there are no wireless APs or controllers directly managed by CounterACT, the wireless plugin should be disabled. The wireless plugin enabled with no configuration will also produce a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90911V-76223CCI-000382Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. The following is an example of disabling the wireless plugin if no wireless devices are directly managed by CounterACT.
+
+Example:
+1. Connect to the CounterACT Console and select Tools >> Options >> Plugins.
+2. Determine if the wireless plugin status is "Enabled", select the plugin, and select "Stop" (for all appliances).
+
+This process can be used to disable or remove plugins not being used.Navigate to the plugin tool and remove all unneeded or unsecure services.
+
+1. Connect to the CounterACT Console and select Tools >> Options >> Plugins.
+2. Review the list of plugins. If an unnecessary or nonsecure service is "Enabled", select the plugin and then select "Configure".
+
+If no configuration is present, this is a finding.
+
+If any unnecessary or nonsecure functions are enabled, this is a finding.SRG-APP-000148-NDM-000346<GroupDescription></GroupDescription>CACT-NM-000027In the event the authentication server is unavailable, one local account must be created for use as the account of last resort.<VulnDiscussion>Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on CounterACT's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort when immediate administrative access is absolutely necessary.
+
+The number of local accounts is restricted to one. The username and password for the emergency account is contained within a sealed envelope kept in a safe. All other users/groups should leverage the external directory. Remove any other accounts using Single-Local. The default admin account may be used to fulfill this requirement (requires DoD compliant password or cryptographically generated shared secret).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90937V-76249CCI-001358CCI-002111Create a local account with full administrator privileges to be used as the account of last resort. The default admin account may be used to fulfill this requirement.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options.
+
+Remove unneeded accounts, if any.Verify that only one local account exists and it has full administrator privileges.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options.
+
+If more than one local user account exists, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>CACT-NM-000030CounterACT must enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
+
+The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90891V-76203CCI-0002051. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Configure the "minimum length" for "15".
+4. Verify additional complexity requirements are also met.Determine if the network device enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "minimum length" is configured for "15".
+
+If CounterACT does not enforce a minimum 15-character password length, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000031CounterACT must prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+To meet password policy requirements, passwords need to be changed at specific policy-based intervals.
+
+If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90889V-76201CCI-000200CCI-000366Configure CounterACT to prohibit password reuse for a minimum of five generations.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "Last" radio button is selected and the option with "5" passwords cannot be reused is configured.Determine if CounterACT prohibits password reuse for a minimum of five generations. This requirement may be verified by demonstration or configuration review.
+
+1. Verify if the user profiles are using external authentication server or local. If using local, proceed to Step 2. If using external, verify the settings using the Authentication Server configuration guide.
+2. Log on to the CounterACT Administrator UI.
+3. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+4. Verify the "Last" radio button is selected and the option with "5" passwords cannot be reused is configured.
+
+If CounterACT does not prohibit password reuse for a minimum of five generations, this is a finding.SRG-APP-000168-NDM-000256<GroupDescription></GroupDescription>CACT-NM-000032CounterACT must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90885V-76197CCI-0001941. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Configure the complexity requirements to require the use of at least one numeric character in each password.Verify CounterACT enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the complexity requirements are met.
+
+If CounterACT does not require that at least one numeric character be used in each password, this is a finding.SRG-APP-000169-NDM-000257<GroupDescription></GroupDescription>CACT-NM-000033CounterACT must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90923V-76235CCI-0016191. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Configure the complexity requirement for use of at least one special character.Verify CounterACT enforces password complexity by requiring that at least one special character be used. This requirement may be verified by demonstration, configuration review, or validated test results.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the complexity requirement for use of at least one special character is met.
+
+If CounterACT does not require that at least one special character be used in each password, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000034CounterACT must enforce a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
+
+One method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised.
+
+This requirement does not include root account or the account of last resort which are meant for access to the network device in case of failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90887V-76199CCI-000199CCI-000366Configure CounterACT to enforce a 60-day maximum password lifetime.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "password expires after" radio button is selected and configured to 60 days.
+
+This requirement does not include root account or the account of last resort.Determine if CounterACT enforces a 60-day maximum password lifetime. This requirement may be verified by demonstration or configuration review. This requirement does not include root account or the account of last resort.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "password expires after" radio button is selected and configured to 60 days.
+
+If CounterACT does not enforce a 60-day maximum password lifetime, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000035CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90939V-76251CCI-002238CCI-000366Configure CounterACT to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "Lock account After" radio button is selected.
+4. Ensure that "3" is selected for the password failures setting.
+5. Ensure that "15" and "minutes" are selected.Determine CounterACT automatically locks the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
+
+This requirement may be verified by demonstration or configuration review.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "Lock account After" radio button is selected.
+4. Verify "3" is selected for the password failures setting.
+5. Verify that "15" and "minutes" are selected.
+
+If an account is not automatically locked out until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000036CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
+
+Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90947V-76259CCI-001891CCI-000366Configure CounterACT to compare internal information system clocks at least every 24 hours with an authoritative time server.
+
+1. Open an SSH session and authenticate to CounterACT command line.
+2. Configure the NTP servers with the command "fstool ntp setup <ip address>".Check the network device configuration to determine if the device compares internal information system clocks at least every 24 hours with an authoritative time server.
+
+1. Open an SSH session and authenticate to the CounterACT command line.
+2. Verify the configured NTP servers with the command "fstool ntp".
+3. Run the "date" command to look at the current system time compared to the known good, Network Time Protocol (NTP) server time.
+
+If the device does not compare internal information system clocks at least every 24 hours, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CACT-NM-000038CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
+
+Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. CounterACT appliances must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
+
+DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90929V-76241CCI-000366CCI-001893Configure CounterACT to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
+
+1. Open an SSH session and authenticate to the CounterACT command line.
+2. Configure the primary and secondary NTP servers with the command "fstool ntp setup <ip address>".Determine if CounterACT is configured to synchronize internal clocks with the organization's primary and secondary NTP servers.
+
+1. Open an SSH session and authenticate to the CounterACT command line.
+2. Verify a primary and secondary NTP server has been configured with the command "fstool ntp".
+
+If CounterACT is not configured to synchronize internal information system clocks with the organization's primary and secondary NTP servers, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>CACT-NM-000039CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet).
+
+Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication. Use of non-secure versions of management protocols with well-known exploits puts the system at immediate risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90933V-76245CCI-001967Configure the network device to authenticate network management endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
+
+1. Select Tools >> Options >> Switch.
+2. Select a network device and review the "CLI" tab.
+3. If the radio button for "Use CLI" is selected, select the "SSH" drop-down option and use proper credentials.Review the CounterACT configuration to determine if the network device authenticates network management endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
+
+1. Select Tools >> Options >> Switch.
+2. Select a network device and review the "CLI" tab.
+3. If the radio button for "Use CLI" is selected, verify that the "SSH" drop-down option is also selected. Repeat this process for each switch.
+
+If anything other than SSH is selected, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>CACT-NM-000040CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet).
+
+For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication. Use of non-secure versions of management protocols with well-known exploits puts the system at immediate risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90935V-76247CCI-001967Configure CounterACT to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
+
+1. Select Tools >> Options >> Switch.
+2. Select a network device and review the "SNMP" tab.
+3. Ensure that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
+4. Ensure that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.Review the CounterACT configuration to determine if the network device authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
+
+1. Select Tools >> Options >> Switch.
+2. Select a network device and review the "SNMP" tab.
+3. Verify that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
+4. Verify that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.
+
+If CounterACT does not authenticate the endpoint devices before establishing a connection using bidirectional authentication that is cryptographically based, this is a finding.SRG-APP-000408-NDM-000314<GroupDescription></GroupDescription>CACT-NM-000041CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.<VulnDiscussion>There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device to troubleshoot system traffic or a vendor installing or running a diagnostic application to troubleshoot an issue with a vendor-supported device). If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system.
+
+This requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational network devices. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers.
+
+This requirement does not cover hardware/software components that may support information system maintenance yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90907V-76219CCI-000366CCI-002883Configure the access privileges to CounterACT to restrict use of maintenance functions to authorized personnel only.
+
+1. Select Tools >> Options >> Console User Profiles.
+2. Adjust or remove the unauthorized group or user profile.
+
+Note: The RAFACS must also be inspected for unauthorized users.Determine if the network device restricts the use of maintenance functions to authorized personnel only. View the list of users defined on the device.
+
+ Select Tools >> Options >> Console User Profiles.
+
+If other personnel can use maintenance functions on the network device, this is a finding.SRG-APP-000515-NDM-000325<GroupDescription></GroupDescription>CACT-NM-000042CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90925V-76237CCI-001851Configure the network device to off-load audit records onto a different system or media than the system being audited.
+
+1. From the console, select Tools >> Options >> Plugins >> Syslog.
+2. Verify the Syslog Plugin is running (on all CounterACT appliances). If it is not, start the plugin in each appliance.
+3. Open the Plugin, selecting the appliance configuration for review.
+4. From the "Send To" tab, configure a Syslog server for Log export. (Refer to the CounterACT admin guide for additional references on proper configuration.)
+5. Ensure the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.Check the CounterACT configuration to determine if the device off-loads audit records onto a different system or media than the system being audited.
+
+1. From the console, select Tools >> Options >> Plugins >> Syslog.
+2. Verify the Syslog Plugin is running (on all CounterACT appliances).
+3. Open the Plugin, selecting the appliance configuration for review.
+4. Verify the "Send To" tab has an available log server properly configured.
+5. Verify the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.
+
+If the device does not off-load audit records onto a different system or media, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000044CounterACT must employ automated mechanisms to centrally apply authentication settings.<VulnDiscussion>The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which leads to delays in remediating production problems and addressing compromises in a timely fashion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90909V-76221CCI-000366CCI-000371Configure CounterACT to employ automated mechanisms to centrally apply authentication settings.
+
+1. Connect to the User Directory Console user interface.
+2. Select Tools >> Options >> User Directory.
+3. Add the configuration to the Active Directory configuration, select the chosen directory, and select "Test".Review the network device configuration to determine if it employs automated mechanisms to centrally apply authentication settings.
+
+1. Connect to the User Directory Console user interface.
+2. Select Tools >> Options >> User Directory.
+3. Verify the Active Directory configuration exists and tests pass by selecting the chosen directory and selecting "Test".
+
+If authentication settings are not applied centrally using automated mechanisms, this is a finding.SRG-APP-000001-NDM-000200<GroupDescription></GroupDescription>CACT-NM-000051CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.<VulnDiscussion>Network device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator is helpful in limiting risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90955V-76267CCI-000054Configure CounterACT to require a limit of one session per user.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "allow only one login session per user" radio button is selected and configured to either Log out existing session or Deny new logon attempts.Determine if CounterACT requires a limit of one session per user. This requirement may be verified by demonstration or configuration review.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "allow only one login session per user" radio button is selected and configured to either Log out existing session or Deny new logon attempts.
+
+If CounterACT does not enforce one session per user, this is a finding.SRG-APP-000516-NDM-000317<GroupDescription></GroupDescription>CACT-NM-000086The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.<VulnDiscussion>The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90943V-76255CCI-000366CCI-000372Configure CounterACT to use an authentication server to access the device.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Directory.
+3. Enable the selected authentication server.Review the CounterACT configuration to determine if an authentication server is required to access the device.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Directory.
+3. Verify the selected authentication server is enabled for GUI authentication.
+
+If an authentication server is not configured for use by CounterACT, this is a finding.SRG-APP-000166-NDM-000254<GroupDescription></GroupDescription>CACT-NM-000147If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.<VulnDiscussion>Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90951V-76263CCI-000192Configure CounterACT to require a minimum of one upper-case character.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "password must contain at least # upper case alphabetic characters" radio button is selected and configured to at least 1.Determine if CounterACT requires at least one upper-case character to be used in passwords. This requirement may be verified by demonstration or configuration review.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "password must contain at least # upper case alphabetic characters" radio button is selected and configured to at least 1.
+
+If CounterACT does not enforce at least one upper-case character, this is a finding.SRG-APP-000167-NDM-000255<GroupDescription></GroupDescription>CACT-NM-000148If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90953V-76265CCI-000193Configure CounterACT to require a minimum of one lower-case character.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Ensure the "password must contain at least # lower case alphabetic characters" radio button is selected and configured to at least 1.Determine if CounterACT requires at least one lower-case character to be used in passwords. This requirement may be verified by demonstration or configuration review.
+
+1. Log on to the CounterACT Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Verify the "password must contain at least # lower case alphabetic characters" radio button is selected and configured to at least 1.
+
+If CounterACT does not enforce at least one lower-case character, this is a finding.SRG-APP-000317-NDM-000282<GroupDescription></GroupDescription>CACT-NM-000149The network device must terminate shared/group account credentials when members leave the group.<VulnDiscussion>A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505SV-90941V-76253CCI-002142Establish and document a procedure that requires the changing of the account of last resort and root account password when users with knowledge of the password leave the group. To change the password:
+
+1. Log on to CounterACT's Administrator UI.
+2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
+3. Enter a new password.
+
+Note: Use of a cryptographically generated password is recommended. Password must be stored in a locked safe and used only when necessary since individual accounts are required to be used to ensure non-repudiation.Review the documentation to verify that a procedure exists to change the account of last resort and root account password when users with knowledge of the password leave the group.
+
+If a procedure does not exist to change the account of last resort and root account password when users with knowledge of the password leave the group, this is a finding.SRG-APP-000456<GroupDescription></GroupDescription>CACT-NM-999999The version of ForeScout CounterAct must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified period from the availability of the update. The specific period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ForeScout CounterACT NDMDISADPMS TargetForeScout CounterACT NDM5505CCI-002605Upgrade to a supported version.ForeScout CounterAct versions supported by this STIG (Version 8 and earlier) are no longer supported by the vendor. If the system is running any CounterAct version, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_OfficeSystem_2013_STIG_V2R2_Manual-xccdf.xml b/benchmarks/DISA/U_MS_OfficeSystem_2013_STIG_V2R2_Manual-xccdf.xml
new file mode 100644
index 000000000..55af7c94f
--- /dev/null
+++ b/benchmarks/DISA/U_MS_OfficeSystem_2013_STIG_V2R2_Manual-xccdf.xml
@@ -0,0 +1,225 @@
+acceptedMicrosoft Office System 2013 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000033<GroupDescription></GroupDescription>DTOO208Office client polling of SharePoint servers published links must be disabled.<VulnDiscussion>Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications. Links can be targeted so that they only appear to users who are members of particular audiences.
+If a malicious person gains access to the list of published links, they could modify the links to point to unapproved sites, which could make sensitive data vulnerable to exposure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52755V-17670CCI-000213Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Server Settings "Disable the Office client from polling the SharePoint Server for published links" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Server Settings "Disable the Office client from polling the SharePoint Server for published links" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\portal
+
+If the value 'LinkPublishingDisabled' is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO182The Help Improve Proofing Tools feature for Office must be configured.<VulnDiscussion>The "Help Improve Proofing Tools" feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. Although this feature does not intentionally collect personal information, some of the content sent could include items that were marked as spelling or grammar errors, such as proper names and account numbers. However, any numbers such as account numbers, street addresses, and phone numbers are converted to zeroes when the data is collected. Microsoft uses this information solely to improve the effectiveness of the Office Proofing Tools, not to identify users.
+By default, this feature is enabled, if users choose to participate in the Customer Experience Improvement Program (CEIP). If an organization has policies that govern the use of external resources such as the CEIP, allowing the use of the "Help Improve Proofing Tools" feature might cause them to violate these policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52719V-17627CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Tools \ Options \ Spelling -> Proofing Data Collection "Improve Proofing Tools" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools >> Options >> Spelling >> Proofing Data Collection "Improve Proofing Tools" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following. HKCU\Software\Policies\Microsoft\Office\15.0\common\ptwatson
+
+If the value 'PTWOptIn' is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO196A mix of policy and user locations for Office Products must be disallowed.<VulnDiscussion>When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links to content on the Internet.
+By default, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy–created trusted locations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52745V-17560CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings -> Trust Center "Allow mix of policy and user locations" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center "Allow mix of policy and user locations" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security\trusted locations
+
+If the value 'Allow User Locations' is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO197Smart Documents use of Manifests in Office must be disallowed.<VulnDiscussion>An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. One or more components that provide the logic needed for a Smart Document are packaged by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files.
+The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, the locations of all files that make up the XML expansion pack are specified, as well as information that instructs Office 2013 how to set up the files for the Smart Document. The XML expansion pack can also contain information about how to set up other files, such as how to install and register a COM object required by the XML expansion pack.
+XML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. Office applications can load an XML expansion pack manifest file with a Smart Document.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52746V-17669CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag
+
+If the value 'NeverLoadManifests' is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO203Legacy format signatures must be enabled.<VulnDiscussion>Office applications use the XML-based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office user opens an Excel, PowerPoint, or Word binary document with an XMLDSIG signature attached, the signature will be lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52751V-17749CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Signing "Legacy format signatures" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Signing "Legacy format signatures" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\signatures
+
+If the value 'EnableCreationOfWeakXPSignatures' is REG_DWORD = 1, this is not a finding.
+
+Fix Text: Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Signing "Legacy format signatures" to "Enabled".SRG-APP-000516<GroupDescription></GroupDescription>DTOO204External Signature Services Menu for Office must be suppressed.<VulnDiscussion>Users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2013, PowerPoint 2013, and Word 2013) to see a list of signature service providers on the Microsoft Office website. If an organization has policies that govern the use of external resources such as signature providers or Office Marketplace, allowing users to access the Add Signature Services menu item might enable them to violate those policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52752V-17805CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Signing "Suppress external signature services menu item" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Signing "Suppress external signature services menu item" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\signatures
+
+Criteria: If the value 'SuppressExtSigningSvcs' is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO206Inclusion of document properties for PDF and XPS output must be disallowed.<VulnDiscussion>If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs is installed, document properties are saved as metadata when users save or publish files using the PDF or XPS commands in Access 2013, Excel 2013, InfoPath 2013, PowerPoint 2013, and Word 2013 using the PDF or XPS or Publish. If this metadata contains sensitive information, saving it with the file could compromise security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52753V-17660CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\fixedformat
+
+If the value 'DisableFixedFormatDocProperties' is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO212Blogging entries created from inside Office products must be configured for SharePoint only.<VulnDiscussion>The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software.
+By default, users can post blog entries to any compatible blogging service provider, including Windows Live Spaces, Blogger, a SharePoint or Community Server site, and others. Leaving this capability enabled introduces the risk of users posting confidential and FOUO date to non-DoD sites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52756V-17581CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Miscellaneous "Control Blogging" to "Enabled (Only SharePoint blogs allowed)".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Miscellaneous "Control Blogging" is set to "Enabled (Only SharePoint blogs allowed)".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\Common\Blog
+
+If the value 'DisableBlog' is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO402The Enable Updates and Disable Updates options in the UI must be hidden from users.<VulnDiscussion>This policy setting allows the user interface (UI) options to enable or disable Office automatic updates to be hidden from users. These options are found in the Product Information area of all Office applications installed via Click-to-Run. This policy setting has no effect on Office applications installed via Windows Installer. If this policy setting is enabled, the "Enable Updates" and "Disable Updates" options in the UI are hidden from users. If this policy setting is not configured, the "Enable Updates" and "Disable Updates" options are visible, and users can enable or disable Office automatic updates from the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53191V-40859CCI-000366Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine)->Updates->"Hide option to enable or disable updates" is set to "Enabled".Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine)->Updates->"Hide option to enable or disable updates" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\software\policies\Microsoft\office\15.0\common\officeupdate
+
+Criteria: If the value HideEnableDisableUpdates is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO410When using the Office Feedback tool, the ability to include a screenshot must be disabled.<VulnDiscussion>The "Office Feedback" tool, also called "Send-a-Smile", allows a user to click on an icon and send feedback to Microsoft. The "Office Feedback" Tool must be configured to be disabled. In the event that the Office Feedback Tool has not been configured correctly as disabled, this policy configures whether the uploading of screenshots via the tool is allowed and should also be disabled. Uploading screenshots to a commercial vendor from a DoD computer may unintentionally reveal configuration and/or FOUO content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53212V-40880CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center >>"Allow including screenshot with Office Feedback" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\feedback
+
+If the value 'includescreenshot' is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO412The ability to run unsecure Office apps must be disabled.<VulnDiscussion>Unsecure apps for Office, which are apps that have web page or catalog locations that are not SSL-secured (https://), and/or are not in users' Internet zones may allow data to be transmitted/accessed via clear text to outside sources. By configuring this policy to be disabled, users will be prevented from transmitting/accessing data in a nonsecure manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53214V-40882CCI-000366Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center >> Trusted Catalogs "Allow Unsecure Apps and Catalogs" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center >> Trusted Catalogs "Allow Unsecure Apps and Catalogs" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following hive:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\wef\trustedcatalogs
+
+If the value 'requireserververification' is REG_DWORD = 1, this is not a finding.
+SRG-APP-000516<GroupDescription></GroupDescription>DTOO416The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.<VulnDiscussion>This policy setting configures the Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If this policy setting is enabled, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If this policy setting is disabled or not configured, the Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53218V-40886CCI-000366Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on privacy setting in Office Telemetry Agent" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on privacy setting in Office Telemetry Agent" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\osm
+
+If the value 'enablefileobfuscation' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO183The Opt-In Wizard must be disabled.<VulnDiscussion>The Opt-in Wizard displays the first time users run a 2013 Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If an organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52720V-17664CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Privacy -> Trust Center "Disable Opt-in Wizard on first run" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center "Disable Opt-in Wizard on first run" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\general
+
+If the value 'ShownFirstRunOptin' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO184The Customer Experience Improvement Program for Office must be disabled.<VulnDiscussion>When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data.
+By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If an organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52721V-17612CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Privacy -> Trust Center "Enable Customer Experience Improvement Program" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center "Enable Customer Experience Improvement Program" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common
+
+Criteria: If the value 'QMEnable' is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO185Automatic receiving of small updates to improve reliability must be disallowed.<VulnDiscussion>Having access to updates, add-ins, and patches on the Office Online website can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates are tested and applied in a consistent manner, many organizations prefer to roll out updates using a centralized mechanism such as Microsoft Systems Center or Windows Server Update Services.
+By default, users are allowed to download updates, add-ins, and patches from the Office Online Web site to keep their Office applications running smoothly and securely. If an organization has policies that govern the use of external resources such as Office Online, allowing users to download updates might cause them to violate these policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52722V-17740CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Privacy -> Trust Center "Automatically receive small updates to improve reliability" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center "Automatically receive small updates to improve reliability" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common
+
+If the value 'UpdateReliabilityData' is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO198The Internet Fax Feature must be disabled.<VulnDiscussion>Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature could help users evade those policies.
+By default, Office users can use the Internet Fax feature. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52747V-17661CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Services -> Fax "Disable Internet Fax feature" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Services >> Fax "Disable Internet Fax feature" to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\services\fax
+
+If the value 'NoFax' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO345Online content options must be configured for offline content availability.
+<VulnDiscussion>The Office 2013 Help system automatically searches MicrosoftOffice.com for content when a computer is connected to the Internet. Users can change this default by clearing the Search Microsoft Office.com for Help content when I'm connected to the Internet check box in the Privacy Options section of the Trust Center. If an organization has policies that govern the use of external resources such as Office.com, allowing the Help system to download content might cause users to violate these policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52758V-26630CCI-000381Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools >> Options >> General >> Service Options... >> Online Content "Online content options" to "Enabled: Do not allow Office to connect to the internet".Note: This check is Not Applicable when the use of Office 365 is against the specific DoD instance of O365.
+
+The use of Offline Content for Non-DoD instances of O365 is prohibited and it must not allow for personal account synchronization.
+
+All non-DoD instances are subject to this requirement.
+
+Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools >> Options >> General >> Service Options... >> Online Content "Online content options" is set to "Enabled: Do not allow Office to connect to the internet".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\internet
+
+If the value 'UseOnlineContent' is REG_DWORD = 0, this is not a finding.
+SRG-APP-000141<GroupDescription></GroupDescription>DTOO403The video informing a user about signing into Office365 must be disabled.<VulnDiscussion>Office 365 is a subscription-based service which offers access to various Microsoft Office applications. Access to Office 365 will not be permitted; only locally installed and configured Office 2013 installations will be used. Since the ability to sign into Office 365 will be disabled, this policy, which determines whether a video about signing into Office365 is played when Office first runs, will also be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53192V-40860CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> First Run -> "Disable First Run Movie" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> First Run >> "Disable First Run Movie" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\firstrun
+
+Criteria: If the value 'disablemovie' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO404The first-run prompt to sign into Office365 must be disabled.<VulnDiscussion>Office 365 functionality allows users to provide credentials for accessing Office 365 using either their Microsoft Account, or the user ID assigned by the organization. Access to Office 365 will not be permitted; only locally installed and configured Office 2013 installations will be used. Since the ability to sign into Office 365 will be disabled, this policy, which determines whether the Office First Run comes up on first application boot if not previously viewed, will also be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53193V-40861CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> First Run -> "Disable Office First Run on application boot" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> First Run >> "Disable Office First Run on application boot" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\firstrun
+
+Criteria: If the value 'bootedrtm' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO405 The ability to sign into Office365 must be disabled.<VulnDiscussion>Office 2013 can be configured to prompt users for credentials to Office365 using either their Microsoft Account or the user ID assigned by an organization for accessing Office 365. Access to Office 365 will not be permitted and only locally installed and configured Office installations will be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53194V-40862CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Miscellaneous -> "Block signing into Office" to "Enabled: org ID only".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Miscellaneous >> "Block signing into Office" is set to "Enabled: org ID only".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\signin
+
+If the value 'signinoptions' is REG_DWORD = 2, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO406The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled.<VulnDiscussion>The ability to automatically bind hyperlink to a screenshot inserted through the Insert Screenshot tool introduces the possibility of a malicious URL or website being imbedded in the Word, PowerPoint, Excel or Outlook document. Disabling the hyperlink in those screenshots will ensure users do not have the ability to directly open the hyperlinks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53195V-40863CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Miscellaneous -> "Do not automatically hyperlink screenshots" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Miscellaneous >> "Do not automatically hyperlink screenshots" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\gfx
+
+If the value 'disablescreenshotautohyperlink' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO407The prompt to save to OneDrive (formerly SkyDrive) must be disabled.<VulnDiscussion>OneDrive (formerly SkyDrive) is a cloud based storage feature that introduces the capability for users to save documents to locations outside of protected enclaves. This feature introduces the risk that FOUO and PII data, as well as other DoD protected data, may be inadvertently stored in a nonsecure location. This setting, which will prompt the user to sign in to OneDrive while performing a file save operation, must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53196V-40864CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Miscellaneous -> "Show OneDrive Sign In" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Miscellaneous .> "Show OneDrive Sign In" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\general
+
+If the value 'SkyDriveSignInOption' is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO408Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.<VulnDiscussion>The Office Presentation Service is a free, public service that allows others to follow along in a web browser. Allowing this feature could result in presentations with DoD FOUO, PII and other protected data to be viewed in a nonsecure location. By disabling this policy, the user will not have the ability to deliver a presentation online.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53207V-40875CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Present Online -> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Present Online >> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\broadcast
+
+If the value 'disabledefaultservice' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO411The Office Feedback tool must be disabled.<VulnDiscussion>The "Office Feedback" tool, also called "Send-a-Smile", allows a user to click on an icon and send feedback to Microsoft. Applications used by DoD users should not be able to provide feedback to commercial vendors regarding their positive and negative experiences when using Office due to the potential of unintentionally revealing FOUO or other protected content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53213V-40881CCI-000381Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center >> "Send Office Feedback" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Privacy >> Trust Center >> "Send Office Feedback" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\feedback
+
+If the value 'enabled' is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO414Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.<VulnDiscussion>Microsoft Office includes the ability to roam settings for specific Office features amongst devices by storing this data in the cloud. This data includes user activity such as the list of most recently used documents as well as user preferences such as the Office theme. This policy setting controls whether this data is allowed to be stored in the cloud. If this policy setting is enabled, roaming settings are only stored locally and not synchronized to the Microsoft Office roaming settings web service. If this policy setting is disabled or not configured, roaming settings are synchronized with the Microsoft Office roaming settings web service and users can access their data from other devices. Existing data in the cloud is not affected by this policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53216V-40884CCI-000381Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Services >> "Disable Roaming Office User Settings" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Services >> "Disable Roaming Office User Settings" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\roaming
+
+If the value 'roamingsettingsdisabled' is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO415The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled.<VulnDiscussion>Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office 2013 applications, the Office Telemetry application adds a record about the event to a local data store. Each record includes a description of the problem and a link to more information. Inventory and usage data is also tracked. The actual logging capability will be enabled, but this policy allows that data to be uploaded to a remote location which, if enabled, could pass information about the internal network and configuration to that remote site.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53217V-40885CCI-000381Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on data uploading for Office Telemetry Agent" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on data uploading for Office Telemetry Agent" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\osm
+
+If the value 'enableupload' is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO417The Office Telemetry Agent and Office applications must be configured to collect telemetry data.<VulnDiscussion>Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office 2013 applications, the Office Telemetry application adds a record about the event to a local data store. Each record includes a description of the problem and a link to more information. Inventory and usage data is also tracked. This policy setting allows the data collection features in Office that are used by the Office Telemetry Dashboard and Office Telemetry Log to be turned on. If this policy setting is enabled, Office Telemetry Agent and Office applications will collect telemetry data, which includes Office application usage, most recently used Office documents (including file names) and solutions usage, compatibility issues, and critical errors that occur on the local computers. Office Telemetry Dashboard can be used to view this data remotely, and users can use Office Telemetry Log to view this data on their local computers. If this policy setting is disabled or not configured, the Office Telemetry Agent and Office applications do not generate or collect telemetry data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53219V-40887CCI-000381Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on telemetry data collection" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on telemetry data collection" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\osm
+
+If the value 'enablelogging' is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO179Documents must be configured to not open as Read Write when browsing.<VulnDiscussion>By default, when an Office 2013 document on a web server is opened using Internet Explorer, the appropriate application opens the file in read-only mode. However, if the default configuration is changed, the document is opened as read/write. Users could potentially make changes to documents and resave them in situations where the web server security is not configured to prevent such changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52714V-17759CCI-001170Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools | Options | General | Web Options... >> Files "Open Office documents as read/write while browsing" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools | Options | General | Web Options... >> Files "Open Office documents as read/write while browsing" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\internet
+
+If the value 'OpenDocumentsReadWriteWhileBrowsing' for REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO180Relying on Vector markup Language (VML) for displaying graphics in browsers must be disallowed.<VulnDiscussion>When saving documents as web pages, Excel, PowerPoint, and Word can save vector-based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, Office applications also save copies of the graphics in a standard raster file format (GIF or PNG) for use by browsers that cannot display VML. If the "Rely on VML for displaying graphics in browsers" check box in the web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52715V-17773CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Tools \ Options \ General \ Web Options -> Browsers "Rely on VML for displaying graphics in browsers" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools >> Options >> General >> Web Options >> Browsers "Rely on VML for displaying graphics in browsers" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\internet.
+
+If the value 'RelyOnVML' is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO193Automation Security to enforce macro level security in Office documents must be configured.<VulnDiscussion>When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked. This functionality could allow an attacker to use automation to run malicious code in Excel, PowerPoint, or Word.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52730V-17741CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Automation Security" to "Enabled (Use application macro security level)".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Automation Security" is set to "Enabled (Use application macro security level)".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\Common\Security
+
+If the value "AutomationSecurity" is REG_DWORD =2, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO409The ability to create an online presentation programmatically must be disabled.<VulnDiscussion>Allowing online presentations to be created programmatically allows for the capability of malicious content to become imbedded in those programmatically created presentations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53211V-40879CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Present Online -> "Restrict programmatic access for creating online presentations in PowerPoint and Word" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Present Online >> "Restrict programmatic access for creating online presentations in PowerPoint and Word" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\broadcast
+
+If the value 'disableprogrammaticaccess' is REG_DWORD = 1, this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO188Document metadata for password protected files must be protected.<VulnDiscussion>When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52725V-17768CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Protect document metadata for password protected files" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Protect document metadata for password protected files" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+If the value 'OpenXMLEncryptProperty' is REG_DWORD = 1, this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO189The encryption type for password protected Open XML files must be set.<VulnDiscussion>If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files. Since some encryption types are less secure and easier to breach, Microsoft Enhanced RSA and AES Cryptographic Provider, AES-256, 256-bit should be used when encrypting documents.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52726V-17619CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Encryption type for password protected Office Open XML files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Encryption type for password protected Office Open XML files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256)".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+If the value 'OpenXMLEncryption' is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256", this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO190The encryption type for password protected Office 97 thru Office 2003 must be set.<VulnDiscussion>If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files. Since some encryption types are less secure and easier to breach, Microsoft Enhanced RSA and AES Cryptographic Provider, AES-256, 256-bit should be used when encrypting documents.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52727V-17617CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Encryption type for password protected Office 97-2003 files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Encryption type for password protected Office 97-2003 files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256)".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+If the value 'DefaultEncryption12' is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256", this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO195Passwords for secured documents must be enforced.<VulnDiscussion>If 2013 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing documents not protected by file-level security.
+By default, users can add passwords to Excel 2013 workbooks, PowerPoint 2013 presentations, and Word 2013 documents from the Save or Save As dialog box by clicking Tools, clicking General Options, and entering appropriate passwords to open or modify the documents. If this configuration is changed, the General Options dialog box for saving with a password will not be available for the user to password-protect their documents.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52744V-17665CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Disable password to open UI" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Disable password to open UI" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following key:
+HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+If the value 'DisablePasswordUI' is REG_DWORD = 0, this is not a finding.
+
+Fix Text: Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Disable password to open UI" to "Disabled". SRG-APP-000209<GroupDescription></GroupDescription>DTOO186Trust Bar notifications for Security messages must be enforced.<VulnDiscussion>The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer.
+By default, if an Office application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52723V-17590CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Disable all Trust Bar notifications for security issues" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Disable all Trust Bar notifications for security issues" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\trustcenter
+
+If the value 'TrustBar' is REG_DWORD = 0, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO192Load controls in forms3 must be disabled from loading.<VulnDiscussion>ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant.
+To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it could mean the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.
+SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety is not important, but the control would still be safe for use in a Web page.
+If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52729V-17750CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Load Controls in Forms3" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Load Controls in Forms3" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\keycupoliciesmsvbasecurity
+
+If the value 'LoadControlsInForms' exists, this is a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO413Users must be prevented from using or inserting apps that come from the Office Store.<VulnDiscussion>This policy setting allows users to be prevented from using or inserting apps that come from the Office Store. If this policy setting is enabled, apps from the Office Store are blocked. If this policy setting is disabled or not configured, apps from the Office Store are allowed, unless the "Block Apps for Office" policy setting is enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-53215V-40883CCI-001749Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center >> Trusted Catalogs "Block the Office Store" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center >> Trusted Catalogs "Block the Office Store" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\wef\trustedcatalogs
+
+If the value 'disableomexcatalogs' is REG_DWORD = 1, this is not a finding.SRG-APP-000328<GroupDescription></GroupDescription>DTOO199Changing permissions on rights managed content for users must be enforced.<VulnDiscussion>This setting controls whether Office 2013 users can change permissions for content that is protected with Information Rights Management (IRM). The Information Rights Management feature of Office 2013 allows individuals and administrators to specify access permissions to Word documents, Excel workbooks, PowerPoint presentations, InfoPath templates and forms, and Outlook email messages. This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52748V-17765CCI-002165Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Manage Restricted Permissions "Prevent users from changing permissions on rights managed content" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Manage Restricted Permissions "Prevent users from changing permissions on rights managed content" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\drm
+
+Criteria: If the value 'DisableCreation' is REG_DWORD = 0, this is not a finding.SRG-APP-000328<GroupDescription></GroupDescription>DTOO200Office must be configured to not allow read with browsers.<VulnDiscussion>The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2013 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed by using the Windows Rights Management Add-on. If this setting is enabled, an embedded rights-managed HTML version of the content is saved with each IRM-enabled file, which can be viewed in Internet Explorer using the add-on, representing the risk of documents being read by those without the rights and not intended to have access to the document.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52749V-17583CCI-002165Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Manage Restricted Permissions "Allow users with earlier versions of Office to read with browsers" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Manage Restricted Permissions "Allow users with earlier versions of Office to read with browsers" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\drm
+
+If the value 'IncludeHTML' is REG_DWORD = 0, this is not a finding.SRG-APP-000340<GroupDescription></GroupDescription>DTOO201Connection verification of permissions must be enforced.<VulnDiscussion>Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access documents after their licenses have been revoked. Also, it is not possible to log the usage of files with restricted permissions if users' licenses are not confirmed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52750V-17731CCI-002235Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Manage Restricted Permissions "Always require users to connect to verify permission" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Manage Restricted Permissions "Always require users to connect to verify permission" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\drm
+
+Criteria: If the value 'RequireConnection' is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO191ActiveX control initialization must be disabled.<VulnDiscussion>ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates a control is safe to open and run, and it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not.
+If a control is not marked SFI, it is possible the control could adversely affect a computer—or it could mean the developers did not test the control in all situations and are not sure whether it might be compromised in the future.
+By default, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users the controls have been disabled and prompts them to respond.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52728V-17547CCI-002460Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "ActiveX Control Initialization" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "ActiveX Control Initialization" is set to "Disabled".
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\Common\Security
+
+If the value 'UFIControls' exists, this is a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO194Hyperlink warnings for Office must be configured for use.<VulnDiscussion>Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer.
+Links that Office considers unsafe include links to executable files, TIFF files, and Microsoft Document Imaging (MDI) files. Other unsafe links are those using protocols considered to be unsafe, including msn, nntp, mms, outlook, and stssync.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52731V-17659CCI-002460Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Suppress hyperlink warnings" to "Disabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Suppress hyperlink warnings" is set to "Disabled".
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+Criteria: If the value 'DisableHyperLinkWarning' is REG_DWORD = 0, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO207Document Information panel Beaconing must show UI.<VulnDiscussion>This policy setting controls whether users see a security warning when they open custom Document Information Panels that contain a web beaconing threat. Web beacons can be used to contact an external server when users open forms. Information could be gathered by the form, or information entered by users could be sent to an external server, exposing the internal users and systems to additional attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52754V-17605CCI-002460Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Document Information Panel "Document Information Panel Beaconing UI" to "Enabled (Always show UI)".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Document Information Panel "Document Information Panel Beaconing UI" is set to "Enabled (Always show UI)".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\documentinformationpanel
+
+If the value 'Beaconing' is REG_DWORD = 1, this is not a finding.SRG-APP-000429<GroupDescription></GroupDescription>DTOO187Rights managed Office Open XML files must be protected.<VulnDiscussion>When Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted. This configuration could allow potentially sensitive information such as the document author and hyperlink references to be exposed to unauthorized individuals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52724V-17769CCI-002476Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Protect document metadata for rights managed Office Open XML Files" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Protect document metadata for rights managed Office Open XML Files" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+If the value 'DRMEncryptProperty' is REG_DWORD = 1, this is not a finding.SRG-APP-000429<GroupDescription></GroupDescription>DTOO321Encrypt document properties must be configured for OLE documents.
+<VulnDiscussion>This policy setting allows a document's properties to be encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. Disabling this setting will prevent the encryption of document properties, which may expose sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227SV-52757V-26704CCI-002476Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Encrypt document properties" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Encrypt document properties" is set to "Enabled".
+
+Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security
+
+Criteria: If the value 'EncryptDocProps' is REG_DWORD = 1, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO401The version of Microsoft Office running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2013DISADPMS TargetMicrosoft Office System 20134227V-40858SV-53190CCI-002605Upgrade to a supported version.Microsoft Office 2013 is no longer supported by the vendor. If the system is running Microsoft Office 2013, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_PowerPoint_2010_STIG_V1R11_Manual-xccdf.xml b/benchmarks/DISA/U_MS_PowerPoint_2010_STIG_V1R11_Manual-xccdf.xml
new file mode 100644
index 000000000..6677701ac
--- /dev/null
+++ b/benchmarks/DISA/U_MS_PowerPoint_2010_STIG_V1R11_Manual-xccdf.xml
@@ -0,0 +1,269 @@
+acceptedMicrosoft PowerPoint 2010 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 11 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104 - PowerPointDisabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17173SV-33406CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the "powerpnt.exe" and "pptview.exe" check boxes.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" must be "Enabled" and a check in the "powerpnt.exe" and "pptview.exe" check boxes must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO110 - PowerPointBlocking as default file block opening behavior must be enforced.<VulnDiscussion>Users can open, view, or edit a large number of file types in PowerPoint 2010. Some file types are safer than others, as some could allow malicious code to become active on user computers or the network. For this reason, disabling or not configuring this setting could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26612SV-33933CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> File Block Settings "Set default file block behavior" to "Enabled: Blocked files are not opened".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> File Block Settings "Set default file block behavior" must be "Enabled: Blocked files are not opened".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\fileblock
+
+Criteria: If the value OpenInProtectedView is REG_DWORD = 0, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO111 - PowerPointEnabling IE Bind to Object functionality must be present.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17174SV-33389CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the "powerpnt.exe" and "pptview.exe" check boxes.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" must be "Enabled" and a check in the "powerpnt.exe" and "pptview.exe" check boxes must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117 - PowerPointSaved from URL mark to assure Internet zone processing must be enforced.<VulnDiscussion>Typically, when Internet Explorer loads a Web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17175SV-33417CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled"and place a check in the "powerpnt.exe" and "pptview.exe" check boxes.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" must be "Enabled" and a check in the "powerpnt.exe" and "pptview.exe" check boxes must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO119 - PowerPointConfiguration for file validation must be enforced.<VulnDiscussion>Office Binary Documents (97-2003) are checked to see if they conform against the file format schema before they are opened.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26592SV-33935CCI-001695Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Turn off file validation" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Turn off file validation" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\filevalidation
+
+Criteria: If the value EnableOnLoad is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO121 - PowerPointFiles from the Internet zone must be opened in Protected View.<VulnDiscussion>This policy setting allows for determining if files downloaded from the Internet zone open in Protected View. If enabling this policy setting, files downloaded from the Internet zone do not open in Protected View. If disabling or not configuring this policy setting, files downloaded from the Internet zone open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26614SV-33862CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files from the Internet zone in Protected View" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files from the Internet zone in Protected View" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\protectedview
+
+Criteria: If the value DisableInternetFilesInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123 - PowerPointNavigation to URL's embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17183SV-33413CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled"and place a check in the "powerpnt.exe" and "pptview.exe" check boxes.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the "powerpnt.exe" and "pptview.exe" check boxes must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124 - PowerPointScripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26588SV-33804CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" must be set to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126 - PowerPointAdd-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26584SV-33784CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" must be set to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following keys:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127 - PowerPointApplication add-ins must be signed by Trusted Publisher.<VulnDiscussion>Office 2010 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26589SV-33852CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value RequireAddinSig is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO128 - PowerPointData Execution Prevention must be enforced.<VulnDiscussion>Data Execution Prevention (DEP) is a set of hardware and software technologies performing additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages. Enabling this setting, turns off Data Execution Prevention. As a result, malicious code takes advantage of code injection or buffer overflow vulnerabilities possibly exploiting the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26590SV-33858CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Turn off Data Execution Prevention" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Turn off Data Execution Prevention" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value EnableDEP is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129 - PowerPointLinks that invoke instances of IE from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17184SV-33395CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select "powerpnt.exe" and "pptview.exe".The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131 - PowerPointTrust Bar Notifications for unsigned application add-ins must be blocked.<VulnDiscussion>If an application is configured to require all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17187SV-33604CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins and block them" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins and block them" must be "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132 - PowerPointFile Downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interacting with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26587SV-33802CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" must be set to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO133 - PowerPointAll automatic loading from Trusted Locations must be disabled.<VulnDiscussion>Trusted locations specified in the Trust Center are used to define file locations assumed to be safe. Content, code, and add-ins are allowed to load from trusted locations with a minimal amount of security, without prompting the users for permission. If a dangerous file is opened from a trusted location, it will not be subject to standard security measures and could harm users' computers or data. By default, files located in trusted locations (those specified in the Trust Center) are assumed to be safe.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17471SV-33608CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Disable all trusted locations" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Disable all trusted locations" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\trusted locations
+
+Criteria: If the value AllLocationsDisabled is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO134 - PowerPointDisallowance of Trusted Locations on the network must be enforced.<VulnDiscussion>Files located in Trusted Locations and specified in the Trust Center are assumed to be safe. Content, code, and add-ins are allowed to load from Trusted Locations with minimal security and without prompting the user for permission. By default, users can specify Trusted Locations on network shares, or in other remote locations not under their direct control, by selecting the "Allow Trusted Locations on my network"(not recommended) check box in the Trusted Locations section of the Trust Center. If a dangerous file is opened from a trusted location, it will not be subject to typical security measures and could affect users' computers or data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17520SV-33607CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Allow Trusted Locations on the network" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Allow Trusted Locations on the network" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\trusted locations
+
+Criteria: If the value AllowNetworkLocations is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO139 - PowerPointSave files default format must be configured.<VulnDiscussion>When users create new PowerPoint files, PowerPoint 2010 saves them in the new *.pptx format. Ensure this setting is enabled to specify that all new files are created in PowerPoint 2010. If a new file is created in an earlier format, some users may not be able to open or use the file, or they may choose a format this is less secure than the PowerPoint 2010 format. Users can still select a specific format when they save files, but they cannot change default of this setting from the PowerPoint Options dialog box. This enforced user behavior ensures any change to the file format requires additional deliberate user interaction.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17521SV-33599CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Save "default file format" to "Enabled PowerPoint Presentation (*.pptx)".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Save "default file format" must be set to "Enabled PowerPoint Presentation (*.pptx)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\options
+
+Criteria: If the value DefaultFormat is REG_DWORD = 1b (hex) 27 (dec) , this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO142 - PowerPointForce encrypted macros to be scanned in open XML documents must be determined and configured.<VulnDiscussion>When an Office Open XML document (Word, Excel, and PowerPoint) is rights-managed, or password-protected, any macros embedded in the document are encrypted along with the rest of the contents. By default, these encrypted macros will be disabled unless they are scanned by antivirus software immediately before being loaded. If this default configuration is modified, Office products will not require encrypted macros to be scanned before loading. They will be handled as specified by the Office System macro security settings, which can cause macro viruses to load undetected and lead to data loss or reduced application functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17473SV-33602CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Scan encrypted macros in PowerPoint Open XML presentations" to "Enabled (Scan encrypted macros (default)".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Scan encrypted macros in PowerPoint Open XML presentations" must be "Enabled (Scan encrypted macros (default)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value PowerPointBypassEncryptedMacroScan is REG_DWORD = 0, this not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO146 - PowerPointTrust access for VBA must be disallowed.<VulnDiscussion>VSTO projects require access to the Visual Basic for Applications project system in Excel, PowerPoint, and Word, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17522SV-33605CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Trust access to Visual Basic Project" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "Trust access to Visual Basic Project" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value AccessVBOM is REG_DWORD=0, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209 - PowerPointProtection from zone elevation must be enforced.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26585SV-33787CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" must be set to "Enabled"and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000384<GroupDescription></GroupDescription>DTOO210 - PowerPointPre-release versions of file formats new to Office Products must be blocked.<VulnDiscussion>This policy setting controls whether users with the Microsoft Office Compatibility Pack for PowerPoint 2010 File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint 2010. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17322SV-33449CCI-001764Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Office 2010 Converters "Block opening of pre-release versions of file formats new to PowerPoint 2010 through the Compatibility Pack for Office 2010 and PowerPoint 2010 Converter" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Office 2010 Converters "Block opening of pre-release versions of file formats new to PowerPoint 2010 through the Compatibility Pack for Office 2010 and PowerPoint 2010 Converter" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\fileblock
+
+Criteria: If the value PowerPoint12BetaFilesFromConverters is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211 - PowerPointActiveX Installs must be configured for proper restriction.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26586SV-33796CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" must be set to "Enabled" and "powerpnt.exe" and "pptview.exe" are checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO288 - PowerPointFiles in unsafe locations must be opened in Protected View.<VulnDiscussion>This policy setting determines if files located in unsafe locations will open in Protected View. If unsafe locations have not been specified, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations. If enabling this policy setting, files located in unsafe locations do not open in Protected View. If disabling or not configuring this policy setting, files located in unsafe locations open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26615SV-33866CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files in unsafe locations in Protected View" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files in unsafe locations in Protected View" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\protectedview
+
+Criteria: If the value DisableUnsafeLocationsInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO289 - PowerPointThe ability to run programs from a PowerPoint presentation must be disallowed.<VulnDiscussion>Action buttons can be used to launch external programs from PowerPoint presentations. If a malicious person adds an action button to a presentation that launches a dangerous program, it could significantly affect the security of a user's computer and data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17788SV-33601CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Run Programs" to "Enabled (disable - (don't run any programs))".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Run Programs" must be "Enabled (disable - (don't run any programs))".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value RunPrograms is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO290 - PowerPointHidden markup options must be visible.<VulnDiscussion>PowerPoint presentations that are saved in standard or HTML format can contain a flag indicating whether markup (comments or ink annotations) in the presentation should be visible when the presentation is open. PowerPoint ignores this flag when opening a file, and always displays any markup present in the file. In addition, when saving a file, PowerPoint sets the flag to display markup when the presentation is next opened.
+
+If this default configuration is changed, PowerPoint sets the flag according to the state of the Show Markup option on the Review tab of the Ribbon when it saves presentations in standard or HTML format. In addition, PowerPoint enables or disables the Show Markup option according to the way the flag is set when it opens files, which means that a presentation saved with hidden markup is opened with the markup still hidden.
+
+If a file is saved with hidden markup, users might inadvertently distribute sensitive comments or information to others via the presentation file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17752SV-33600CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Make hidden markup visible" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Make hidden markup visible" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\options
+
+Criteria: If the value MarkupOpenSave is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO291 - PowerPointAutomatic download of linked images must be disallowed.<VulnDiscussion>When users insert images into PowerPoint presentations, they can select Link to File instead of Insert. If they do so, the image is represented by a link to a file on disk instead of being embedded in the presentation file itself. By default, when PowerPoint opens a presentation it does not display any linked images saved on a different computer unless the presentation itself is saved in a trusted location (as configured in the Trust Center). If this configuration is changed, PowerPoint will load any images that were saved in remote locations, which presents a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17809SV-33603CCI-001169Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Unblock automatic download of linked images" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security "Unblock automatic download of linked images" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value DownloadImages is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO292 - PowerPointDocument behavior if file validation fails must be set.<VulnDiscussion>This policy key controls the behavior of how Office documents should be handled when failing File Validation. The options available are:
+-Block files completely. This will prevent users from opening files.
+-Open files in Protected View and disallow edit. This will prevent users from editing the files.
+-Open files in Protected view and allow edit. This will allow users to edit the files.
+
+If disabling or not configuring this policy setting, the default setting will be, "open files in protected view and allow edit".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26616SV-33869CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Set document behavior if file validation fails" to "Enabled: Open in Protected View" and Unchecked for "Do not allow edit".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Set document behavior if file validation fails" must be "Enabled: Open in Protected View" and Unchecked for "Do not allow edit".
+
+Procedure: Use the Windows Registry Editor to navigate to the following keys:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\filevalidation
+
+Criteria: If the value OpenInProtectedView is REG_DWORD = 1, this is not a finding.
+
+AND
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\filevalidation
+
+Criteria: If the value DisableEditFromPV is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO293 - PowerPointAttachments opened from Outlook must be in Protected View.<VulnDiscussion>This policy setting allows for determining if Excel files in Outlook attachments open in Protected View. If enabling this policy setting, Outlook attachments do not open in Protected View. If disabling or not configuring this policy setting, Outlook attachments open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26617SV-33876CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Turn off Protected View for attachments opened from Outlook" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Turn off Protected View for attachments opened from Outlook" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security\protectedview
+
+Criteria: If the value DisableAttachmentsInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304 - PowerPointWarning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA Macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-17545SV-33606CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "VBA Macro Notification Settings" to "Enabled (Disable all with notification)".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> PowerPoint Options -> Security -> Trust Center "VBA Macro Notification Settings" must be "Enabled (Disable all with notification)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\security
+
+Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO319 - PowerPointThe configuration for Slide Update with counterparts must be disallowed.<VulnDiscussion>This setting controls whether users can link slides in a presentation with their counterparts in a PowerPoint Slide Library. If you enable this policy setting, PowerPoint cannot check the status of a slide in a Slide Library when a presentation with Slide Update data is opened. If you disable or do not configure this policy setting, each time users open a presentation that contains a shared slide, PowerPoint notifies them if the slide has been updated and provides them with the opportunity to ignore the update, append a new slide to the outdated slide, or replace the outdated slide with the updated one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366V-26639SV-34090CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> Miscellaneous "Disable Slide Update" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2010 -> Miscellaneous "Disable Slide Update" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\powerpoint\slide libraries
+
+Criteria: If the value DisableSlideUpdate is REG_DWORD = 1, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999 - PowerPointThe version of PowerPoint running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2010DISADPMS TargetMicrosoft PowerPoint 20105366CCI-002605Upgrade to a supported version.PowerPoint 2010 is no longer supported by the vendor. If the system is running PowerPoint 2010, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_PowerPoint_2013_STIG_V1R7_Manual-xccdf.xml b/benchmarks/DISA/U_MS_PowerPoint_2013_STIG_V1R7_Manual-xccdf.xml
new file mode 100644
index 000000000..de11641bf
--- /dev/null
+++ b/benchmarks/DISA/U_MS_PowerPoint_2013_STIG_V1R7_Manual-xccdf.xml
@@ -0,0 +1,266 @@
+acceptedMicrosoft PowerPoint 2013 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17173SV-53464CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the 'powerpnt.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" is set to "Enabled" and a check in the 'powerpnt.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO110Blocking as default file block opening behavior must be enforced.<VulnDiscussion>Users can open, view, or edit a large number of file types in PowerPoint 2013. Some file types are safer than others, as some could allow malicious code to become active on user computers or the network. For this reason, disabling or not configuring this setting could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26612SV-53468CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> File Block Settings "Set default file block behavior" to "Enabled: Blocked files are not opened".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> File Block Settings "Set default file block behavior" is set to "Enabled: Blocked files are not opened".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\fileblock
+
+Criteria: If the value OpenInProtectedView is REG_DWORD = 0, this is not a findingSRG-APP-000112<GroupDescription></GroupDescription>DTOO111The Internet Explorer Bind to Object functionality must be enabled in PowerPoint.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17174SV-53537CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the 'powerpnt.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" is set to "Enabled" and a check in the 'powerpnt.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint.<VulnDiscussion>Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet; Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17175SV-53470CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the 'powerpnt.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" is set to "Enabled" and a check in the 'powerpnt.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO119Configuration for file validation must be enforced.<VulnDiscussion>Office File Validation helps detect and prevent a kind of exploit known as a file format attack or file fuzzing attack. File format attacks exploit the integrity of a file. They occur when someone modifies the structure of a file with the intent of adding malicious code. Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer. As a result, an attacker could gain access to a computer that they did not previously have access to. This could enable an attacker to read sensitive information from the computer's hard disk drive or install malware, such as a worm or a key logging program. The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened. To validate files, Office File Validation compares a file's structure to a predefined file schema, which is a set of rules that determine what a readable file looks like. If Office File Validation detects that a file's structure does not follow all rules that are described in the schema, the file does not pass validation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26592SV-53471CCI-001695Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Turn off file validation" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Turn off file validation" set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\filevalidation
+
+Criteria: If the value EnableOnLoad is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO121Files from the Internet zone must be opened in Protected View.<VulnDiscussion>This policy setting allows for determining if files downloaded from the Internet zone open in Protected View. If enabling this policy setting, files downloaded from the Internet zone do not open in Protected View. If disabling or not configuring this policy setting, files downloaded from the Internet zone open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26614SV-53473CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files from the Internet zone in Protected View to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files from the Internet zone in Protected View" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\protectedview
+
+Criteria: If the value DisableInternetFilesInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123Navigation to URLs embedded in Office products must be blocked in PowerPoint.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17183SV-53475CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the 'powerpnt.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the 'powerpnt.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124Scripted Window Security must be enforced in PowerPoint.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26588SV-53477CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and 'powerpnt.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126Add-on Management functionality must be allowed in PowerPoint.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26584SV-53479CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and 'powerpnt.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following keys:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127Add-ins to Office applications must be signed by a Trusted Publisher.<VulnDiscussion>Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26589SV-53481CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value RequireAddinSig is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17184SV-53484CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select 'powerpnt.exe'.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131Trust Bar Notifications for unsigned application add-ins must be blocked.<VulnDiscussion>If an application is configured to require all add-ins to be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in. If a user is allowed to make the determination to allow an unsigned add-in, it increases the risk of malicious code being introduced onto the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17187SV-53486CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins and block them" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins and block them" must be "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\powerpoint\security
+
+Criteria: If the value notbpromptunsignedaddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132File Downloads must be configured for proper restrictions in PowerPoint.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26587SV-53491CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and 'powerpnt.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO133All automatic loading from Trusted Locations must be disabled.<VulnDiscussion>Trusted locations specified in the Trust Center are used to define file locations assumed to be safe. Content, code, and add-ins are allowed to load from trusted locations with a minimal amount of security, without prompting the users for permission. If a dangerous file is opened from a trusted location, it will not be subject to standard security measures and could harm users' computers or data. By default, files located in trusted locations (those specified in the Trust Center) are assumed to be safe.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17471SV-53492CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Disable all trusted locations" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Disable all trusted locations" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\trusted locations
+
+Criteria: If the value AllLocationsDisabled is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO134Disallowance of Trusted Locations on the network must be enforced.<VulnDiscussion>Files located in Trusted Locations and specified in the Trust Center are assumed to be safe. Content, code, and add-ins are allowed to load from Trusted Locations with minimal security and without prompting the user for permission. By default, users can specify Trusted Locations on network shares, or in other remote locations not under their direct control, by selecting the "Allow Trusted Locations on my network" (not recommended) check box in the Trusted Locations section of the Trust Center. If a dangerous file is opened from a trusted location, it will not be subject to typical security measures and could affect users' computers or data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17520SV-53494CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Allow Trusted Locations on the network" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Trusted Locations "Allow Trusted Locations on the network" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\trusted locations
+
+Criteria: If the value AllowNetworkLocations is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO139The Save commands default file format must be configured.<VulnDiscussion>When users create new PowerPoint files, PowerPoint 2013 saves them in the new *.pptx format. Ensure this setting is enabled to specify that all new files are created in PowerPoint 2013. If a new file is created in an earlier format, some users may not be able to open or use the file, or they may choose a format this is less secure than the PowerPoint 2013 format. Users can still select a specific format when they save files, but they cannot change default of this setting from the PowerPoint Options dialog box. This enforced user behavior ensures any change to the file format requires additional deliberate user interaction.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17521SV-53496CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Save "default file format" to "Enabled PowerPoint Presentation (*.pptx)".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Save "default file format" is set to "Enabled PowerPoint Presentation (*.pptx)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\options
+
+Criteria: If the value DefaultFormat is REG_DWORD = 1b (hex) 27 (dec), this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO142Enforce encrypted macros to be scanned in open XML documents must be determined and configured.<VulnDiscussion>When an Office Open XML document (Word, Excel, and PowerPoint) is rights-managed, or password-protected, any macros embedded in the document are encrypted along with the rest of the contents. By default, these encrypted macros will be disabled unless they are scanned by antivirus software immediately before being loaded. If this default configuration is modified, Office products will not require encrypted macros to be scanned before loading. They will be handled as specified by the Office System macro security settings, which can cause macro viruses to load undetected and lead to data loss or reduced application functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17473SV-53498CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Scan encrypted macros in PowerPoint Open XML presentations" to "Enabled (Scan encrypted macros (default)".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Scan encrypted macros in PowerPoint Open XML presentations" must be "Enabled (Scan encrypted macros (default)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value PowerPointBypassEncryptedMacroScan is REG_DWORD = 0, this not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO146Trust access for VBA must be disallowed.<VulnDiscussion>VSTO projects require access to the Visual Basic for Applications project system in Excel, PowerPoint, and Word, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17522SV-53505CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Trust access to Visual Basic Project" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "Trust access to Visual Basic Project" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value AccessVBOM is REG_DWORD=0, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209Protection from zone elevation must be enforced in PowerPoint.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26585SV-53509CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and 'powerpnt.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000384<GroupDescription></GroupDescription>DTOO210The opening of pre-release versions of file formats new to PowerPoint 2013 through the Compatibility Pack for Office 2013 and PowerPoint 2013 Converter must be blocked.<VulnDiscussion>Versions of file formats from pre-release versions of Office applications may introduce bugs found in those pre-release versions of the applications which have been subsequently fixed in the final release version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17322SV-53513CCI-001764Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Office 2013 Converters -> "Block opening of pre-release versions of file formats new to PowerPoint 2013 through the Compatibility Pack for Office 2013 and PowerPoint 2013 Converter" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Office 2013 Converters -> "Block opening of pre-release versions of file formats new to PowerPoint 2013 through the Compatibility Pack for Office 2013 and PowerPoint 2013 Converter" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\PowerPoint\security\fileblock
+
+Criteria: If the value powerpoint12betafilesfromconverters is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211ActiveX Installs must be configured for proper restriction in PowerPoint.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26586SV-53515CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and 'powerpnt.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'powerpnt.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value powerpnt.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO288Files in unsafe locations must be opened in Protected View.
+<VulnDiscussion>This policy setting determines if files located in unsafe locations will open in Protected View. If unsafe locations have not been specified, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations. If enabling this policy setting, files located in unsafe locations do not open in Protected View. If disabling or not configuring this policy setting, files located in unsafe locations open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26615SV-53517CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files in unsafe locations in Protected View" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Do not open files in unsafe locations in Protected View" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\protectedview
+
+Criteria: If the value DisableUnsafeLocationsInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO289The ability to run programs from a PowerPoint presentation must be disallowed.<VulnDiscussion>Action buttons can be used to launch external programs from PowerPoint presentations. If a malicious person adds an action button to a presentation that launches a dangerous program, it could significantly affect the security of a user's computer and data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17788SV-53519CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Run Programs" to "Enabled (disable - (don't run any programs))".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Run Programs" must be "Enabled (disable - (don't run any programs))".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value RunPrograms is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO290Hidden markup options must be visible.<VulnDiscussion>PowerPoint presentations that are saved in standard or HTML format can contain a flag indicating whether markup (comments or ink annotations) in the presentation should be visible when the presentation is open. PowerPoint ignores this flag when opening a file, and always displays any markup present in the file. In addition, when saving a file, PowerPoint sets the flag to display markup when the presentation is next opened.
+If this default configuration is changed, PowerPoint sets the flag according to the state of the Show Markup option on the Review tab of the Ribbon when it saves presentations in standard or HTML format. In addition, PowerPoint enables or disables the Show Markup option according to the way the flag is set when it opens files, which means that a presentation saved with hidden markup is opened with the markup still hidden.
+If a file is saved with hidden markup, users might inadvertently distribute sensitive comments or information to others via the presentation file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17752SV-53522CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Make hidden markup visible" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Make hidden markup visible" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\options
+
+Criteria: If the value MarkupOpenSave is REG_DWORD = 1, this is not a finding.
+SRG-APP-000209<GroupDescription></GroupDescription>DTOO291Automatic download of linked images must be disallowed.<VulnDiscussion>When users insert images into PowerPoint presentations, they can select Link to File instead of Insert. If they do so, the image is represented by a link to a file on disk instead of being embedded in the presentation file itself. By default, when PowerPoint opens a presentation it does not display any linked images saved on a different computer unless the presentation itself is saved in a trusted location (as configured in the Trust Center). If this configuration is changed, PowerPoint will load any images that were saved in remote locations, which presents a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17809SV-55919CCI-001169Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Unblock automatic download of linked images" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security "Unblock automatic download of linked images" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value DownloadImages is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO292Document behavior if file validation fails must be set.<VulnDiscussion>This policy key controls the behavior of how Office documents should be handled when failing file validation. By requiring such documents to be opened in Protected View, any potentially malicious code would be disabled, allowing the user to edit the document and resave correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26616SV-53524CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Set document behavior if file validation fails" to "Enabled: Open in Protected View" and Unchecked for "Do not allow edit".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Set document behavior if file validation fails" must be "Enabled: Open in Protected View" and Unchecked for "Do not allow edit".
+
+Procedure: Use the Windows Registry Editor to navigate to the following keys:
+
+
+If both
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\filevalidation\OpenInProtectedView is set to REG_DWORD = 1 and HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\filevalidation\DisableEditFromPV is set to REG_DWORD = 1, this is not a finding.
+
+If either, or both keys are not set to REG_DWORD = 1, this is an open finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO293Attachments opened from Outlook must be in Protected View.<VulnDiscussion>This policy setting allows for determining if PowerPoint files in Outlook attachments open in Protected View. If enabling this policy setting, Outlook attachments do not open in Protected View. If disabling or not configuring this policy setting, Outlook attachments open in Protected View.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26617SV-53526CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Turn off Protected View for attachments opened from Outlook" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center -> Protected View "Turn off Protected View for attachments opened from Outlook" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security\protectedview
+
+Criteria: If the value DisableAttachmentsInPV is REG_DWORD = 0, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304Warning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-17545SV-53528CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "VBA Macro Notification Settings" to "Enabled (Disable all with notification)".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> PowerPoint Options -> Security -> Trust Center "VBA Macro Notification Settings" is set to "Enabled (Disable all with notification)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO319The configuration for Slide Update with counterparts must be disallowed.<VulnDiscussion>This setting controls whether users can link slides in a presentation with their counterparts in a PowerPoint Slide Library. If this policy setting is enabled, PowerPoint cannot check the status of a slide in a Slide Library when a presentation with Slide Update data is opened. If this policy setting is disabled or not configured, each time users open a presentation that contains a shared slide, PowerPoint notifies them if the slide has been updated and provides them with the opportunity to ignore the update, append a new slide to the outdated slide, or replace the outdated slide with the updated one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-26639SV-53533CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> Miscellaneous "Disable Slide Update" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft PowerPoint 2013 -> Miscellaneous "Disable Slide Update" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\slide libraries
+
+Criteria: If the value DisableSlideUpdate is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO501Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint Viewer.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42327SV-54944CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the 'pptview.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" is set to "Enabled" and a check in the 'pptview.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO502The Internet Explorer Bind to Object functionality must be enabled in PowerPoint Viewer.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42332SV-54951CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the 'pptview.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" is set to "Enabled" and a check in the 'pptview.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO503The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint Viewer.<VulnDiscussion>Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet; Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42333SV-54952CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the 'pptview.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" is set to "Enabled" and a check in the 'pptview.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO504Navigation to URLs embedded in Office products must be blocked in PowerPoint Viewer.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42334SV-54953CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the 'pptview.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the 'pptview.exe' check box is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO505Scripted Window Security must be enforced in PowerPoint Viewer.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42335SV-54954CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and 'pptview.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO506Add-on Management functionality must be allowed in PowerPoint Viewer.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42336SV-54955CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and 'pptview.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following keys:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO507File Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint Viewer.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42330SV-54949CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select 'pptview.exe'.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO508File Downloads must be configured for proper restrictions in PowerPoint Viewer.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on the user's computer or the network. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42331SV-54950CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and 'pptview.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO509Protection from zone elevation must be enforced in PowerPoint Viewer.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42329SV-54948CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and 'pptview.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO510ActiveX Installs must be configured for proper restriction in PowerPoint Viewer.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-42328SV-54946CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and 'pptview.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'pptview.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value pptview.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO600Macros must be blocked from running in Office 2013 files from the Internet. <VulnDiscussion>This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust Center. Also, instead of having the choice to "Enable Content", users will receive a notification that macros are blocked from running. If the Office file is saved to a trusted location or was previously trusted by the user, macros will be allowed to run. If you disable or don't configure this policy setting, the settings configured in the Macro Settings section of the Trust Center determine whether macros run in Office files that come from the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386V-72839SV-87491CCI-001170Set the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2013 >> PowerPoint Options >> Security >> Trust Center "Block macros from running in Office files from the Internet" to "Enabled".Verify the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2013 >> PowerPoint Options >> Security >> Trust Center "Block macros from running in Office files from the Internet" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\security
+
+Criteria: If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a finding.
+SRG-APP-000456<GroupDescription></GroupDescription>DTOO999-PP13The version of PowerPoint running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft PowerPoint 2013DISADPMS TargetMicrosoft PowerPoint 20135386CCI-002605Upgrade to a supported version.PowerPoint 2013 is no longer supported by the vendor. If the system is running PowerPoint 2013, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_Project_2010_STIG_V1R10_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Project_2010_STIG_V1R10_Manual-xccdf.xml
new file mode 100644
index 000000000..332a5008f
--- /dev/null
+++ b/benchmarks/DISA/U_MS_Project_2010_STIG_V1R10_Manual-xccdf.xml
@@ -0,0 +1,89 @@
+acceptedMicrosoft Project 2010 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 10 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104 - ProjectDisabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-17173SV-33897CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the "winproj.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" must be "Enabled" and a check in the "winproj.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.
+SRG-APP-000112<GroupDescription></GroupDescription>DTOO111 - ProjectEnabling IE Bind to Object functionality must be present.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-17174SV-33889CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the "winproj.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" must be "Enabled" and a check in the "winproj.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.
+SRG-APP-000210<GroupDescription></GroupDescription>DTOO117 - ProjectSaved from URL mark to assure Internet zone processing must be enforced.<VulnDiscussion>Typically, when Internet Explorer loads a Web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-17175SV-33918CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the "winproj.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" must be "Enabled" and a check in the "winproj.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.
+SRG-APP-000210<GroupDescription></GroupDescription>DTOO123 - ProjectNavigation to URL's embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-17183SV-33898CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the "winproj.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the "winproj.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124 - ProjectScripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26588SV-33921CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and "winproj.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" must be set to "Enabled" and "winproj.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126 - ProjectAdd-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26584SV-33886CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and 'winproj.exe' is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" must be set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO128 - ProjectData Execution Prevention must be enforced.<VulnDiscussion>Data Execution Prevention (DEP) is a set of hardware and software technologies performing additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages. Enabling this setting, turns off Data Execution Prevention. As a result, malicious code takes advantage of code injection or buffer overflow vulnerabilities possibly exploiting the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26590SV-33925CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2010 -> Security -> Trust Center "Turn off Data Execution Prevention" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Project 2010 -> Security -> Trust Center "Turn off Data Execution Prevention" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\ms project\security
+
+Criteria: If the value EnableDEP is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129 - ProjectLinks that invoke instances of IE from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-17184SV-33892CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select "winproj.exe'.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and "winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132 - ProjectFile Downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interacting with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26587SV-33915CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and 'winproj.exe' is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" must be set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209 - ProjectProtection from zone elevation must be enforced.
+<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26585SV-33903CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and 'winproj.exe' is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" must be set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211 - ProjectActiveX Installs must be configured for proper restriction.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on user computers or the network. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26586SV-33907CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and 'winproj.exe' is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" must be set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO346 - ProjectUntrusted intranet zone access to Project servers must not be allowed.<VulnDiscussion>Enabling this setting allows users to access Project Server websites and workspaces outside of the trusted Internet zone. As a result, malicious code could become active on user computers or the network to gain access to sensitive data. In this situation, the site could attempt to capture personal information, like passwords and user names. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368V-26691SV-34091CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2010 -> Project Options -> Security "Enable untrusted intranet zone access to Project server" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Project 2010 -> Project Options -> Security "Enable untrusted intranet zone access to Project server" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\ms project\security
+
+Criteria: If the value TrustWSS is REG_DWORD = 0, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999 - ProjectThe version of Microsoft Project running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2010DISADPMS TargetMicrosoft Project 20105368CCI-002605Upgrade to a supported version.Microsoft Project 2010 is no longer supported by the vendor. If the system is running Microsoft Project 2010, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_Project_2013_STIG_V1R5_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Project_2013_STIG_V1R5_Manual-xccdf.xml
new file mode 100644
index 000000000..2d3a4651d
--- /dev/null
+++ b/benchmarks/DISA/U_MS_Project_2013_STIG_V1R5_Manual-xccdf.xml
@@ -0,0 +1,98 @@
+acceptedMicrosoft Project 2013 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104Disabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which would pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-17173SV-53220CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" is "Enabled" and a check in the 'winproj.exe' check box is present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO111The Internet Explorer Bind to Object functionality must be enabled.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-17174SV-53221CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" is "Enabled" and a check in the 'winproj.exe' check box is present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117The Saved from URL mark must be selected to enforce Internet zone processing.<VulnDiscussion>Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-17175SV-53222CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" is "Enabled" and a check in the 'winproj.exe' check box is present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123Navigation to URLs embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-17183SV-53223CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" is "Enabled" and a check in the 'winproj.exe' check box is present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124Scripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices, or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-26588SV-53224CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126Add-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-26584SV-53225CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127Add-ins to Office applications must be signed by a Trusted Publisher.<VulnDiscussion>Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-40888SV-53226CCI-001749Set the policy User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\ms project\security
+
+Criteria: If the value requireaddinsig is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129Links that invoke instances of Internet Explorer from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-17184SV-53227CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" is "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131Trust Bar Notifications for unsigned application add-ins must be blocked.<VulnDiscussion>If an application is configured to require all add-ins to be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in. If a user is allowed to make the determination to allow an unsigned add-in, it increases the risk of malicious code being introduced onto the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-40889SV-53228CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "Disable Trust Bar Notification for unsigned application add-ins and block them" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "Disable Trust Bar Notification for unsigned application add-ins and block them" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\ms project\security
+
+Criteria: If the value notbpromptunsignedaddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132File Downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-26587SV-53229CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209Protection from zone elevation must be enforced.
+<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-26585SV-53230CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211ActiveX Installs must be configured for proper restriction.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-26586SV-53231CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and place a check in the 'winproj.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'winproj.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value winproj.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304Warning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-40890SV-53232CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "VBA Macro Notification Settings" must be set to "Enabled: Disable all with notification".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security -> Trust Center -> "VBA Macro Notification Settings" is set to "Enabled: Disable all with notification".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\ms project\security
+
+Criteria: If the value vbawarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO346Untrusted intranet zone access to Project servers must not be allowed.<VulnDiscussion>Enabling this setting allows users to access Project server websites and workspaces outside of the trusted Internet zone. As a result, malicious code could become active on user computers or the network to gain access to sensitive data. In this situation, the site could attempt to capture personal information, such as passwords and user names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387V-40892SV-53234CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security "Enable untrusted intranet zone access to Project server" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Project 2013 -> Project Options -> Security "Enable untrusted intranet zone access to Project server" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\ms project\security
+
+Criteria: If the value TrustWSS is REG_DWORD = 0, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999-Project13The version of Microsoft Project running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Project 2013DISADPMS TargetMicrosoft Project 20135387CCI-002605Upgrade to a supported version.Microsoft Project 2013 is no longer supported by the vendor. If the system is running Microsoft Project 2013, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R12_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R12_Manual-xccdf.xml
new file mode 100644
index 000000000..f2ad589ec
--- /dev/null
+++ b/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R12_Manual-xccdf.xml
@@ -0,0 +1,110 @@
+acceptedMicrosoft Publisher 2010 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 12 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104 - PublisherDisabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17173SV-33895CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the "mspub.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Disable user name and password" must be "Enabled" and a check in the "mspub.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO111 - PublisherEnabling IE Bind to Object functionality must be present.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17174SV-33890CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the "mspub.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Bind to Object" must be "Enabled" and a check in the "mspub.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117 - PublisherSaved from URL mark to assure Internet zone processing must be enforced.<VulnDiscussion>Typically, when Internet Explorer loads a Web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17175SV-33919CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the "mspub.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Saved from URL" must be "Enabled" and a check in the "mspub.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123 - PublisherNavigation to URL's embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17183SV-33900CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the "mspub.exe" check box.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the "mspub.exe" check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124 - PublisherScripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26588SV-33922CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and "mspub.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" must be set to "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126 - PublisherAdd-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26584SV-33887CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and "mspub.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Ofice 2010 (Machine) -> Security Settings -> IE Security "Add-on Management" must be set to "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127 - PublisherApplication add-ins must be signed by Trusted Publisher.<VulnDiscussion>Office 2010 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26589SV-33929CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" must be set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\publisher\security
+
+Criteria: If the value RequireAddinSig is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO128 - PublisherData Execution Prevention must be enforced.<VulnDiscussion>Data Execution Prevention (DEP) is a set of hardware and software technologies performing additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages. Enabling this setting, turns off Data Execution Prevention. As a result, malicious code takes advantage of code injection or buffer overflow vulnerabilities possibly exploiting the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26590SV-33926CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Turn off Data Execution Prevention" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Turn off Data Execution Prevention" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\publisher\security
+
+Criteria: If the value EnableDEP is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129 - PublisherLinks that invoke instances of IE from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17184SV-33894CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select "mspub.exe".The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131 - PublisherTrust Bar Notifications for unsigned application add-ins must be blocked.<VulnDiscussion>If an application is configured to require all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17187SV-33928CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins" to "Enabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins" must be "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\publisher\security
+
+Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132 - PublisherFile Downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interacting with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26587SV-33916CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and "mspub.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict File Download" must be set to "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209 - PublisherProtection from zone elevation must be enforced.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26585SV-33901CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and "mspub.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" must be set to "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211 - PublisherActiveX Installs must be configured for proper restriction.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26586SV-33905CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and "mspub.exe" is checked.The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2010 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" must be set to "Enabled" and "mspub.exe" is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304 - PublisherWarning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA Macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-17545SV-33930CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010-> Security -> Trust Center "VBA Macro Notification Settings" to "Enabled (Disabled all with notifications)".The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010-> Security -> Trust Center "VBA Macro Notification Settings" must be "Enabled (Disabled all with notifications)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\publisher\security
+
+Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO322 - PublisherFatally corrupt files must be blocked from opening.<VulnDiscussion>Enabling this setting allows user to open fatally corrupt Publisher 2010 files. As a result, malicious code or users could become active on user computers or the network. For example, a malicious user may purposely corrupt a Publisher file. The corrupted file could force the application to fail or execute malicious code, giving the malicious user control of Publisher 2010.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26707SV-34092CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security "Prompt to allow fatally corrupt files to open instead of blocking them" to "Disabled".The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security "Prompt to allow fatally corrupt files to open instead of blocking them" must be set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\14.0\publisher
+
+Criteria: If the value PromptForBadFiles is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO323 - PublisherThe Publisher Automation Security Level must be configured for high security.<VulnDiscussion>When a separate application is used to launch Publisher 2010 programmatically, any macros can run in the programmatically-opened application without being blocked. Disabling or not configuring this setting could allow a malicious user to use automation to run malicious code in Publisher 2010.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370V-26708SV-34093CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security "Publisher Automation Security Level" to "Enabled and High (Disabled)" is selected.The policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2010 -> Security "Publisher Automation Security Level" must be set to "Enabled and High (Disabled)" is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\Common\Security
+
+Criteria: If the value AutomationSecurityPublisher is REG_DWORD = 3, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999 - PublisherThe version of Microsoft Publisher running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2010DISADPMS TargetMicrosoft Publisher 20105370CCI-002605Upgrade to a supported version.Microsoft Publisher 2010 is no longer supported by the vendor. If the system is running Microsoft Publisher 2010, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_Publisher_2013_STIG_V1R6_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Publisher_2013_STIG_V1R6_Manual-xccdf.xml
new file mode 100644
index 000000000..f943a985a
--- /dev/null
+++ b/benchmarks/DISA/U_MS_Publisher_2013_STIG_V1R6_Manual-xccdf.xml
@@ -0,0 +1,105 @@
+acceptedMicrosoft Publisher 2013 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104Disabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which would pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-17173SV-53235CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the 'mspub.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" must be "Enabled" and a check in the 'mspub.exe' check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO111The Internet Explorer Bind to Object functionality must be enabled.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-40893SV-53236CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the 'mspub.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" must be "Enabled" and a check in the 'mspub.exe' check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117The Saved from URL mark must be selected to enforce Internet zone processing.<VulnDiscussion>Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-40894SV-53237CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the 'mspub.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" must be "Enabled" and a check in the 'mspub.exe' check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123Navigation to URLs embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-40895SV-53238CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the 'mspub.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" must be "Enabled" and a check in the 'mspub.exe' check box must be present.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124Scripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computer in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-40896SV-53239CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and 'mspub.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'mspub.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126Add-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for the user's computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26584SV-53240CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and 'mspub.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'mspub.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127Add-ins to Office applications must be signed by a Trusted Publisher.<VulnDiscussion>Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26589SV-53241CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "Require that application add-ins are signed by Trusted Publisher" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\publisher\security
+
+Criteria: If the value RequireAddinSig is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129Links that invoke instances of Internet Explorer from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-17184SV-53242CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and select 'mspub.exe'.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" must be "Enabled" and 'mspub.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131Trust Bar Notifications for unsigned application add-ins must be blocked.<VulnDiscussion>If an application is configured to require all add-ins to be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in. If a user is allowed to make the determination to allow an unsigned add-in, it increases the risk of malicious code being introduced onto the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-17187SV-53243CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "Disable Trust Bar Notification for unsigned application add-ins" must be "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\publisher\security
+
+Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132File Downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26587SV-53244CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and 'mspub.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'mspub.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209Protection from zone elevation must be enforced.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26585SV-53245CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and 'mspub.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'mspub.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211ActiveX Installs must be configured for proper restriction.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26586SV-53246CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and 'mspub.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'mspub.exe' is checked.
+
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value mspub.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304Warning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA Macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-17545SV-53248CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "VBA Macro Notification Settings" to "Enabled (Disabled all with notifications)".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security -> Trust Center "VBA Macro Notification Settings" must be "Enabled (Disabled all with notifications)".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\15.0\publisher\security
+
+Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO322Fatally corrupt files must be blocked from opening.<VulnDiscussion>Enabling this setting allows a user to open fatally corrupt Publisher 2013 files. As a result, malicious code or users could become active on the user's computer or the network. For example, a malicious user may purposely corrupt a Publisher file. The corrupted file could force the application to fail or execute malicious code, giving the malicious user control of Publisher 2013.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26707SV-53255CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security "Prompt to allow fatally corrupt files to open instead of blocking them" to "Disabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security "Prompt to allow fatally corrupt files to open instead of blocking them" is set to "Disabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+
+HKCU\Software\Policies\Microsoft\Office\15.0\publisher
+
+Criteria: If the value PromptForBadFiles is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO323The Publisher Automation Security Level must be configured for high security.<VulnDiscussion>When a separate application is used to launch Publisher 2013 programmatically, any macros can run in the programmatically-opened application without being blocked. Disabling or not configuring this setting could allow a malicious user to use automation to run malicious code in Publisher 2013.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388V-26708SV-53256CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security "Publisher Automation Security Level" to "Enabled and High (Disabled)" is selected.Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Publisher 2013 -> Security "Publisher Automation Security Level" is set to "Enabled and High (Disabled)" is selected.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\Software\Policies\Microsoft\Office\Common\Security
+
+Criteria: If the value AutomationSecurityPublisher is REG_DWORD = 3, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999-Pub13The version of Microsoft Publisher running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Publisher 2013DISADPMS TargetMicrosoft Publisher 20135388CCI-002605Upgrade to a supported version.Microsoft Publisher 2013 is no longer supported by the vendor. If the system is running Microsoft Publisher 2013, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_SQL_Server_2014_Database_STIG_V1R7_Manual-xccdf.xml b/benchmarks/DISA/U_MS_SQL_Server_2014_Database_STIG_V1R7_Manual-xccdf.xml
new file mode 100644
index 000000000..097b541b3
--- /dev/null
+++ b/benchmarks/DISA/U_MS_SQL_Server_2014_Database_STIG_V1R7_Manual-xccdf.xml
@@ -0,0 +1,1813 @@
+acceptedMS SQL Server 2014 Database Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000033-DB-000084<GroupDescription></GroupDescription>SQL4-00-002000SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies.<VulnDiscussion>Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies.
+
+Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
+
+This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81847V-67357CCI-000213Use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements.Review the system documentation to determine the required levels of protection for securables in the database, by type of user.
+
+Review the permissions actually in place in the database.
+
+The database permission functions and views provided in the supplemental file Permissions.sql can help with this.
+
+If the actual permissions do not match the documented requirements, this is a finding.SRG-APP-000089-DB-000064<GroupDescription></GroupDescription>SQL4-00-011200SQL Server must generate Trace or Audit records for organization-defined auditable events.<VulnDiscussion>Audit records can be generated from various components within the information system (e.g., network interface, hard disk, modem, etc.). From an application perspective, certain specific application functionalities may be audited as well.
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. Examples are auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+Organizations define which application components shall provide auditable events.
+
+The DBMS must provide auditing for the list of events defined by the organization or risk negatively impacting forensic investigations into malicious behavior in the information system.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81849V-67359CCI-000169Design and deploy a SQL Server Audit or Trace that captures all auditable events.
+
+The script provided in the supplemental file Trace.sql can be used to create a trace; edit it as necessary to capture any additional, locally-defined events.
+
+The script provided in the supplemental file Audit.sql can be used to create an audit; edit it as necessary to capture any additional, locally-defined events.If there are no locally-defined security tables or procedures, this is not applicable.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding.
+
+Any additional events locally defined should also be in the list; if not, this is a finding.
+
+14 -- Audit Login
+15 -- Audit Logout
+16 -- Attention
+17 -- ExistingConnection
+18 -- Audit Server Starts and Stops
+20 -- Audit Login Failed
+42 -- SP:Starting
+43 -- SP:Completed
+46 -- Object:Created
+47 -- Object:Deleted
+90 -- User-defined Event
+102 -- Audit Database Scope GDR Event
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+106 -- Audit Login Change Property Event
+107 -- Audit Login Change Password Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+112 -- Audit App Role Change Password Event
+113 -- Audit Statement Permission Event
+115 -- Audit Backup/Restore Event
+116 -- Audit DBCC Event
+117 -- Audit Change Audit Event
+118 -- Audit Object Derived Permission Event
+128 -- Audit Database Management Event
+129 -- Audit Database Object Management Event
+130 -- Audit Database Principal Management Event
+131 -- Audit Schema Object Management Event
+132 -- Audit Server Principal Impersonation Event
+133 -- Audit Database Principal Impersonation Event
+134 -- Audit Server Object Take Ownership Event
+135 -- Audit Database Object Take Ownership Event
+152 -- Audit Change Database Owner
+153 -- Audit Schema Object Take Ownership Event
+162 -- User error message
+164 -- Object:Altered
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+175 -- Audit Server Alter Trace Event
+176 -- Audit Server Object Management Event
+177 -- Audit Server Principal Management Event
+178 -- Audit Database Operation Event
+180 -- Audit Database Object Access Event
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible.
+
+If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all configuration-related actions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>');
+GO
+
+Examine the list produced by the query.
+
+If the audited_result column is not "SUCCESS AND FAILURE" on every row, this is a finding.
+
+If any of the following audit action groups is not included in the list, this is a finding.
+
+APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
+AUDIT_CHANGE_GROUP
+BACKUP_RESTORE_GROUP
+DATABASE_CHANGE_GROUP
+DATABASE_OBJECT_ACCESS_GROUP
+DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
+DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
+DATABASE_OPERATION_GROUP
+DATABASE_OWNERSHIP_CHANGE_GROUP
+DATABASE_PERMISSION_CHANGE_GROUP
+DATABASE_PRINCIPAL_CHANGE_GROUP
+DATABASE_PRINCIPAL_IMPERSONATION_GROUP
+DATABASE_ROLE_MEMBER_CHANGE_GROUP
+DBCC_GROUP
+FAILED_LOGIN_GROUP
+LOGIN_CHANGE_PASSWORD_GROUP
+LOGOUT_GROUP
+SCHEMA_OBJECT_ACCESS_GROUP
+SCHEMA_OBJECT_CHANGE_GROUP
+SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
+SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OBJECT_CHANGE_GROUP
+SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
+SERVER_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OPERATION_GROUP
+SERVER_PERMISSION_CHANGE_GROUP
+SERVER_PRINCIPAL_CHANGE_GROUP
+SERVER_PRINCIPAL_IMPERSONATION_GROUP
+SERVER_ROLE_MEMBER_CHANGE_GROUP
+SERVER_STATE_CHANGE_GROUP
+SUCCESSFUL_LOGIN_GROUP
+TRACE_CHANGE_GROUPSRG-APP-000090-DB-000065<GroupDescription></GroupDescription>SQL4-00-011320Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.
+
+Suppression of auditing could permit an adversary to evade detection.
+
+Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+This version of the requirement deals with SQL Server Audit-based audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81851V-67361CCI-000171Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions:
+USE <database name>;
+GO
+CREATE ROLE DATABASE_AUDIT_MAINTAINERS;
+GO
+GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS;
+GO
+(The role name used here is an example; other names may be used.)
+
+Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users.
+
+Then, for each authorized database user, run the statement:
+ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER <user name> ;
+GO
+
+Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it.If SQL Server Audit is not in use at the database level, this is not applicable (NA).
+
+Obtain the list of approved audit maintainers from the system documentation.
+
+Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions:
+ALTER ANY DATABASE AUDIT
+CONTROL ON DATABASE
+
+The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions:
+ SELECT
+ *
+ FROM
+ STIG.database_permissions P
+ WHERE
+ (P.[Permission] = 'ALTER ANY DATABASE AUDIT')
+ OR
+ (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE')
+ ;
+
+To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one:
+ SELECT * FROM STIG.members_of_database_role(<database role name>);
+
+To see all the permissions in effect for a database principal (server role or login):
+ SELECT * FROM STIG.server_effective_permissions(<principal name>);
+
+If designated personnel are not able to configure auditable events, this is a finding.
+
+If unapproved personnel are able to configure auditable events, this is a finding.SRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL4-00-014900SQL Server must be monitored to discover unauthorized changes to functions.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system.
+
+If SQL Server were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version-dependent. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to the SQL Server software libraries or configuration, such as Functions, can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81855V-67365CCI-001499Configure a SQL Server timed job that automatically checks all system and user-defined Functions for being modified.
+
+(The supplemental file Track.sql, provided with this STIG, can be used to establish a monitoring job. This should be supplemented with a process for informing the appropriate personnel. Other techniques for achieving the same ends, such as the use of DDL triggers, are acceptable.)Check the SQL Server configuration for a timed job that automatically checks all system and user-defined Functions for being modified by running the following SQL Server query:
+EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>';
+
+(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
+
+If a timed job or some other method is not implemented to check for Functions being modified, this is a finding.SRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL4-00-015100SQL Server must be monitored to discover unauthorized changes to triggers.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system.
+
+If SQL Server were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version-dependent. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to the SQL Server software libraries or configuration, such as Triggers, can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81857V-67367CCI-001499Configure a SQL Server timed job that automatically checks all system and user-defined Triggers for modification.
+
+(The supplemental file Track.sql, provided with this STIG, can be used to establish a monitoring job. This should be supplemented with a process for informing the appropriate personnel. Other techniques for achieving the same ends, such as the use of DDL triggers, are acceptable.)Check the SQL Server configuration for the timed job that automatically checks all system and user-defined Triggers for being modified by running the following SQL Server query:
+EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>';
+
+(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
+
+If such a job, or an alternative method of monitoring triggers for modification, does not exist, this is a findingSRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL4-00-015200SQL Server must be monitored to discover unauthorized changes to stored procedures.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system.
+
+If SQL Server were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version-dependent. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to the SQL Server software libraries or configuration, such as Stored Procedures, can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81859V-67369CCI-001499Configure a SQL Server timed job that automatically checks all system and user-defined Stored Procedures for modification.
+
+(The supplemental file Track.sql, provided with this STIG, can be used to establish a monitoring job. This should be supplemented with a process for informing the appropriate personnel. Other techniques for achieving the same ends, such as the use of DDL triggers, are acceptable.)Check for the existence of a job to monitor for changes to stored procedures:
+EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>';
+
+(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
+
+If such a job, or an alternative method of monitoring stored procedures for modification, does not exist, this is a finding.SRG-APP-000133-DB-000200<GroupDescription></GroupDescription>SQL4-00-015600Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership.<VulnDiscussion>Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.
+
+Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81861V-67371CCI-001499Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized.
+
+To change the schema owning a database object in SQL Server, use this code:
+USE <database name>;
+GO
+ALTER SCHEMA <name of new schema> TRANSFER <name of old schema>.<object name>;
+GO
+
+Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window.Review system documentation to identify SQL Server accounts authorized to own database objects.
+
+If the SQL Server database ownership list does not exist or needs to be updated, this is a finding.
+
+The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination:
+USE <database name>;
+GO
+SELECT DISTINCT
+ S.[Schema/Owner] AS [Owner],
+ O.[Schema/Owner] AS [Schema],
+ O.[Securable]
+FROM
+ STIG.database_permissions O
+ INNER JOIN STIG.database_permissions S
+ ON S.[Securable] = O.[Schema/Owner]
+ AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN'
+ AND S.[Securable Type or Class] = 'SCHEMA'
+WHERE
+ S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... )
+ -- Complete the "NOT IN" list with the names of user accounts authorized for ownership.
+;
+If any of the listed owners is not authorized, this is a finding.SRG-APP-000133-DB-000200<GroupDescription></GroupDescription>SQL4-00-015610In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.<VulnDiscussion>SQL Server's fixed (built-in) server roles, especially [sysadmin], have powerful capabilities that could cause great harm if misused, so their use must be tightly controlled.
+
+The SQL Server instance uses each database's TRUSTWORTHY property to guard against tampering that could enable unwarranted privilege escalation. When TRUSTWORTHY is 0/False/Off, SQL Server prevents the database from accessing resources in other databases. When TRUSTWORTHY is 1/True/On, SQL Server permits access to other databases (subject to other protections). SQL Server sets TRUSTWORTHY OFF when it creates a new database. SQL Server forces TRUSTWORTHY OFF, irrespective of its prior value, when an existing database is attached to it, to address the possibility that an adversary may have tampered with the database, introducing malicious code. To set TRUSTWORTHY ON, an account with the [sysadmin] role must issue an ALTER DATABASE command.
+
+Although SQL Server itself treats this property conservatively, application installer programs may set TRUSTWORTHY ON and leave it on. This provides an opportunity for misuse.
+
+When TRUSTWORTHY is ON, users of the database can take advantage of the database owner's privileges, by impersonating the owner. This can have particularly serious consequences if the database owner is the [sa] login (which may have been renamed in accordance with SQL4-00-010200, and disabled in accordance with SQL4-00-017100, but nonetheless can be invoked in an EXECUTE AS USER = 'dbo' statement, or CREATE PROCEDURE ... WITH EXECUTE AS OWNER ...). The [sa] login cannot be removed from the [sysadmin] role. The user impersonating [sa] - or another [sysadmin] account - is then able to perform administrative actions across all databases under the instance, including making any himself or any other login a member of [sysadmin].
+
+Most of the other fixed server roles could be similarly abused.
+
+Therefore, TRUSTWORTHY must not be used on databases owned by logins that are members of the fixed server roles. Further, if TRUSTWORTHY is to be used for any other database, the need must be documented and approved.
+
+The system database [msdb] is an exception: it is required to be TRUSTWORTHY.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81865V-67375CCI-001499Set the TRUSTWORTHY property OFF; or remove the database owner from the fixed server role(s); or change the database owner.
+
+To set the TRUSTWORTHY property OFF:
+USE [master];
+GO
+ALTER DATABASE <name> SET TRUSTWORTHY OFF;
+GO
+Verify that this produced the intended result by re-running the query specified in the Check.
+
+To determine the path or paths by which the database owner is assigned the fixed server role or roles, run this query:
+
+USE <database name>;
+GO
+WITH C AS
+(
+SELECT
+ P.name AS [Parent Server Role],
+ CAST('Fixed' AS varchar(8))
+ AS [Server Role Type],
+ M.name AS [Member],
+ M.type_desc AS [Member Type],
+ P.name AS [Root],
+ 1 AS [Level]
+FROM
+ [sys].[server_role_members] X
+ INNER JOIN [sys].[server_principals] P ON P.principal_id = X.role_principal_id
+ INNER JOIN [sys].[server_principals] M ON M.principal_id = X.member_principal_id
+WHERE
+ P.is_fixed_role = 1
+UNION ALL
+SELECT
+ P.name AS [Parent Server Role],
+ CASE WHEN M.is_fixed_role = 1 THEN CAST('Fixed' AS varchar(8)) ELSE CAST('Custom' AS varchar(8)) END
+ AS [Server Role Type],
+ M.name AS [Member],
+ M.type_desc AS [Member Type],
+ C.[Root] AS [Root],
+ C.[Level] + 1 AS [Level]
+FROM
+ [sys].[server_role_members] X
+ INNER JOIN [sys].[server_principals] P ON P.principal_id = X.role_principal_id
+ INNER JOIN [sys].[server_principals] M ON M.principal_id = X.member_principal_id
+ INNER JOIN C ON P.name = C.Member
+)
+,
+B AS
+(
+SELECT
+ C.[Member] AS [Leaf],
+ C.[Root],
+ C.[Parent Server Role],
+ C.[Server Role Type],
+ C.[Member],
+ C.[Member Type],
+ C.[Level]
+FROM C
+WHERE
+ C.[Member Type] NOT LIKE '%ROLE%'
+UNION ALL
+SELECT
+ B.[Leaf],
+ C.[Root],
+ C.[Parent Server Role],
+ C.[Server Role Type],
+ C.[Member],
+ C.[Member Type],
+ C.[Level]
+FROM C
+INNER JOIN B
+ ON C.[Member] = B.[Parent Server Role]
+ AND C.[Level] = B.[Level] - 1
+ AND C.[Root] = B.[Root]
+)
+SELECT
+ DB_NAME() AS [Database],
+ B.[Leaf] AS [Owner Login],
+ B.[Root] AS[Top-Level Server Role],
+ B.[Parent Server Role],
+ B.[Server Role Type],
+ B.[Member],
+ B.[Member Type],
+ B.[Level]
+FROM B
+WHERE B.[Leaf] = (SELECT SUSER_SNAME(D.owner_sid) FROM sys.databases D WHERE D.Name = DB_NAME())
+ORDER BY B.[Root], B.[Level], B.[Parent Server Role], B.[Member]
+;
+GO
+
+To remove the database owner from a fixed server role or a custom server role:
+USE [master];
+GO
+ALTER SERVER ROLE <fixed/custom server role name>
+ DROP MEMBER <database owner name>;
+GO
+Verify that this produced the intended result by re-running the Check query.
+
+To change the database owner:
+USE [master];
+GO
+ALTER AUTHORIZATION ON DATABASE::<DB name> TO <new owner name>;
+GO
+Verify that this produced the intended result by re-running the Check query.Run the SQL statements:
+USE <database name>;
+GO
+WITH FixedServerRoles(RoleName) AS
+(
+ SELECT 'sysadmin'
+ UNION SELECT 'securityadmin'
+ UNION SELECT 'serveradmin'
+ UNION SELECT 'setupadmin'
+ UNION SELECT 'processadmin'
+ UNION SELECT 'diskadmin'
+ UNION SELECT 'dbcreator'
+ UNION SELECT 'bulkadmin'
+)
+SELECT
+ DB_NAME() AS [Database],
+ SUSER_SNAME(D.owner_sid) AS [Database Owner],
+ F.RoleName AS [Fixed Server Role],
+ CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END
+ AS [Trustworthy]
+FROM
+ FixedServerRoles F
+ INNER JOIN sys.databases D ON D.Name = DB_NAME()
+WHERE
+ IS_SRVROLEMEMBER(F.RoleName, SUSER_SNAME(D.owner_sid)) = 1
+AND DB_NAME() <> 'msdb'
+AND D.is_trustworthy_on = 1;
+GO
+
+If the query returns any rows, this is a finding.SRG-APP-000133-DB-000200<GroupDescription></GroupDescription>SQL4-00-015620In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.<VulnDiscussion>SQL Server's fixed (built-in) server roles, especially [sysadmin], have powerful capabilities that could cause great harm if misused, so their use must be tightly controlled.
+
+The SQL Server instance uses each database's TRUSTWORTHY property to guard against tampering that could enable unwarranted privilege escalation. When TRUSTWORTHY is 0/False/Off, SQL Server prevents the database from accessing resources in other databases. When TRUSTWORTHY is 1/True/On, SQL Server permits access to other databases (subject to other protections). SQL Server sets TRUSTWORTHY OFF when it creates a new database. SQL Server forces TRUSTWORTHY OFF, irrespective of its prior value, when an existing database is attached to it, to address the possibility that an adversary may have tampered with the database, introducing malicious code. To set TRUSTWORTHY ON, an account with the [sysadmin] role must issue an ALTER DATABASE command.
+
+Although SQL Server itself treats this property conservatively, application installer programs may set TRUSTWORTHY ON and leave it on. This provides an opportunity for misuse.
+
+When TRUSTWORTHY is ON, users of the database can take advantage of the database owner's privileges, by impersonating the owner. This can have particularly serious consequences if the database owner is the [sa] login (which may have been renamed in accordance with SQL4-00-010200, and disabled in accordance with SQL4-00-017100, but nonetheless can be invoked in an EXECUTE AS USER = 'dbo' statement, or CREATE PROCEDURE ... WITH EXECUTE AS OWNER ...). The [sa] login cannot be removed from the [sysadmin] role. The user impersonating [sa] - or another [sysadmin] account - is then able to perform administrative actions across all databases under the instance, including making any himself or any other login a member of [sysadmin].
+
+Most of the other fixed server roles could be similarly abused.
+
+Therefore, TRUSTWORTHY must not be used on databases owned by logins that are members of the fixed server roles. Further, if TRUSTWORTHY is to be used for any other database, the need must be documented and approved.
+
+The system database [msdb] is an exception: it is required to be TRUSTWORTHY.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81863V-67373CCI-001499Run the SQL statements:
+USE [master];
+GO
+ALTER DATABASE <name> SET TRUSTWORTHY OFF;
+GOIf the database is owned by an account that is directly or indirectly a member of a fixed (built-in) server role, this is not applicable (NA).
+
+Run the query:
+USE <database name>;
+GO
+SELECT
+DB_NAME() AS [Database],
+SUSER_SNAME(D.owner_sid) AS [Database Owner],
+CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END
+AS [Trustworthy]
+FROM
+sys.databases D
+WHERE
+D.[name] = DB_NAME()
+AND DB_NAME() <> 'msdb'
+AND D.is_trustworthy_on = 1;
+GO
+If the query returns a row indicating that the TRUSTWORTHY setting is OFF, or returns no rows, this is not a finding.
+
+Review the system security plan to determine whether the need for TRUSTWORTHY is documented and approved. If not, this is a finding.SRG-APP-000226-DB-000147<GroupDescription></GroupDescription>SQL4-00-021210In the event of a system failure, SQL Server must preserve any information necessary to return to operations with least disruption to mission processes.<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. The existence and reliability of database backups is an essential aspect of the ability to fail to a known state. It helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
+
+Backups must be performed according to an appropriate schedule, and must be tested periodically to provide assurance that they can be used for restoring the database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81867V-67377CCI-001665Modify the system security plan, to include whether the database is static, the correct recovery model to be used, the backup schedule, and the plan for testing database restoration.
+
+In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page. Set the Recovery Model field, near the top of the page, to the correct value.
+
+In Object Explorer, expand <server name> >> SQL Server Agent >> Jobs. Create, modify and delete jobs to implement the backup schedule. (Alternatively, this may done using T-SQL code.)
+
+Correct any issues that have been causing backups to fail.
+
+Test the restoration of the database at least once a year; correct any issues that cause it to fail. Maintain a record of these tests.Review the system security plan (SSP) to determine whether the database is static, the recovery model to be used, the backup schedule, and the plan for testing database restoration. If the SSP does not state that the database is static, assume that it is not static. If any of the other information is absent, this is a finding.
+
+If the database is not static, but the documented recovery model is Simple, this is a finding.
+
+If the database is not static, and the documented recovery model is Bulk Logged, but the justification and authorization for this are not documented, this is a finding.
+
+In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page.
+
+Observe the Recovery Model field, near the top of the page. If this does not match the documented recovery model, this is a finding.
+
+In Object Explorer, expand <server name> >> SQL Server Agent >> Jobs.
+
+Review the jobs set up to implement the backup plan. If they are absent, this is a finding.
+
+Right-click on each backup job; select View History. If the history indicates a pattern of job failures, this is a finding.
+
+Review evidence that database recovery is tested annually or more often, and that the most recent test was successful. If not, this is a finding.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL4-00-021300SQL Server must protect data at rest and ensure confidentiality and integrity of data.<VulnDiscussion>This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use.
+
+User-generated data, as well as, application-specific configuration data, needs to be protected. Configurations and/or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content are examples of system information likely requiring protection. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate.
+
+If the confidentiality and integrity of SQL Server data is not protected, the data will be open to compromise and unauthorized modification.
+
+Protective measures include encryption, physical security of the facility where the storage devices reside, operating system file permissions, and organizational controls. Each of these should be applied as necessary and appropriate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-82367V-67877CCI-001199Apply appropriate controls to protect the confidentiality and integrity of data on a secondary device.
+
+Where encryption is required, this can be done by full-disk encryption or by database encryption. To enable database encryption, create a master key, create a database encryption key, and protect it by using mechanisms tied to the master key, and then set encryption on.
+
+Implement physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s).If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.
+
+If the application owner and Authorizing Official have determined that encryption of data at rest is required, ensure the data on secondary devices is encrypted.
+
+If full-disk encryption is being used, this is not a finding.
+
+If DBMS data encryption is required, ensure the data is encrypted before being put on the secondary device by executing:
+
+SELECT
+ d.name AS [Database Name],
+ CASE e.encryption_state
+ WHEN 0 THEN 'No database encryption key present, no encryption'
+ WHEN 1 THEN 'Unencrypted'
+ WHEN 2 THEN 'Encryption in progress'
+ WHEN 3 THEN 'Encrypted'
+ WHEN 4 THEN 'Key change in progress'
+ WHEN 5 THEN 'Decryption in progress'
+ WHEN 6 THEN 'Protection change in progress'
+ END AS [Encryption State]
+FROM sys.dm_database_encryption_keys e
+RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name
+WHERE d.name NOT IN ('master','model','msdb')
+ORDER BY 1
+;
+
+For each user database where encryption is required, verify that encryption is in effect. If not, this is a finding.
+
+Verify that there are physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s). If not, this is a finding.SRG-APP-000243-DB-000128<GroupDescription></GroupDescription>SQL4-00-021800Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.
+
+Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81879V-67389CCI-001090Create and document a process for moving data from production to development/test systems and follow the process.
+
+Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations.Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations.
+
+If there is no documented procedure for data movement from production to development/test, this is a finding.
+
+If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding.SRG-APP-000251-DB-000160<GroupDescription></GroupDescription>SQL4-00-022500SQL Server must check the validity of all data inputs except those specifically identified by the organization.<VulnDiscussion>Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.
+
+SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands.
+
+A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81881V-67391CCI-001310Use triggers, constraints, foreign keys, etc. to validate data input.
+
+Modify SQL Server to properly use the correct column data types as required in the database.Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.
+
+If code exists that allows invalid data to be acted upon or input into the database, this is a finding.
+
+If column/field definitions are not reflective of the data, this is a finding.
+
+If columns/fields do not contain constraints and validity checking where required, this is a finding.
+
+Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.
+
+Where a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.SRG-APP-000266-DB-000162<GroupDescription></GroupDescription>SQL4-00-022800The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.<VulnDiscussion>Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.
+
+Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system.
+
+Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.
+
+It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81887V-67397CCI-001312Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users.Review application behavior and custom database code (stored procedures; triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users.
+
+If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.SRG-APP-000267-DB-000163<GroupDescription></GroupDescription>SQL4-00-022900SQL Server must reveal detailed error messages only to the ISSO, ISSM (or their designees), SA and DBA.<VulnDiscussion>If the DBMS provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+
+Some default DBMS error messages can contain information that could aid an attacker in, among others things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information.
+
+It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure.
+
+Administrative users authorized to review detailed error messages typically are the ISSO, ISSM, SA and DBA. Other individuals or roles may be specified according to organization-specific needs, with appropriate approval.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81889V-67399CCI-001314Configure audit logging, tracing and/or custom code in the database or application to record detailed error messages generated by SQL Server, for review by authorized personnel.Review application behavior, custom database code (stored procedures; triggers) and DBMS audit and trace settings, to determine whether detailed error messages are logged or stored for review by authorized personnel.
+
+If detailed error messages are not available to individuals authorized to view them, this is a finding.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL4-00-024100The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.<VulnDiscussion>When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81871V-67381CCI-001199Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.If no databases require encryption, this is not a finding.
+
+From the query prompt:
+SELECT name
+FROM [master].sys.databases
+WHERE is_master_key_encrypted_by_server = 1
+AND owner_sid <> 1
+AND state = 0;
+(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)
+
+If no databases are returned by the query, this is not a finding.
+
+For any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.
+
+If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.
+
+If the additional requirements are not in place, this is a finding.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL4-00-024200Database Master Key passwords must not be stored in credentials within the database.<VulnDiscussion>Storage of the Database Master Key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81873V-67383CCI-001199Use the stored procedure sp_control_dbmasterkey_password to remove any credentials that
+store Database Master Key passwords.
+From the query prompt:
+EXEC SP_CONTROL_DBMASTERKEY_PASSWORD @db_name = '<database name>', @action
+= N'drop'From the query prompt:
+SELECT COUNT(credential_id)
+FROM [master].sys.master_key_passwords
+
+If count is not 0, this is a finding.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL4-00-024300Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.<VulnDiscussion>Data within the database is protected by use of encryption. The symmetric keys are critical for this process. If the symmetric keys were to be compromised the data could be disclosed to unauthorized personnel.
+
+The database master key is exempt, as a password must be supplied when creating it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81875V-67385CCI-001199Configure or alter symmetric keys to encrypt keys with certificates or authorized asymmetric keys.
+In a query tool:
+ ALTER SYMMETRIC KEY <key name> ADD ENCRYPTION BY CERTIFICATE <certificate name>;
+ ALTER SYMMETRIC KEY <key name> DROP ENCRYPTION BY <password, symmetric key or asymmetric key>;
+
+The symmetric key must specify a certificate or asymmetric key for encryption.In a query tool:
+USE <database name>;
+GO
+SELECT s.name, k.crypt_type_desc
+FROM sys.symmetric_keys s, sys.key_encryptions k
+WHERE s.symmetric_key_id = k.key_id
+AND s.name <> '##MS_DatabaseMasterKey##'
+AND k.crypt_type IN ('ESKP', 'ESKS')
+ORDER BY s.name, k.crypt_type_desc;
+GO
+
+Review any symmetric keys that have been defined against the System Security Plan.
+
+If any keys are defined that are not documented in the System Security Plan, this is a finding.
+
+Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a finding.
+
+If the certificate specified is not a DoD PKI certificate, this is a finding.SRG-APP-000251-DB-000391<GroupDescription></GroupDescription>SQL4-00-031500The DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.<VulnDiscussion>With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.
+
+The principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81883V-67393CCI-001310Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so.Review source code in the database (stored procedures, functions, triggers) and application source code, to identify cases of dynamic code execution.
+
+If dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.SRG-APP-000251-DB-000392<GroupDescription></GroupDescription>SQL4-00-031600The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.<VulnDiscussion>With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.
+
+The principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).
+
+When dynamic execution is necessary, ways to mitigate the risk include the following, which should be implemented both in the on-screen application and at the database level, in the stored procedures:
+-- Allow strings as input only when necessary.
+-- Rely on data typing to validate numbers, dates, etc. Do not accept invalid values. If substituting other values for them, think carefully about whether this could be subverted.
+-- Limit the size of input strings to what is truly necessary.
+-- If single quotes/apostrophes, double quotes, semicolons, equals signs, angle brackets, or square brackets will never be valid as input, reject them.
+-- If comment markers will never be valid as input, reject them. In SQL, these are -- or /* */
+-- If HTML and XML tags, entities, comments, etc., will never be valid, reject them.
+-- If wildcards are present, reject them unless truly necessary. In SQL these are the underscore and the percentage sign, and the word ESCAPE is also a clue that wildcards are in use.
+-- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject them. Use case-insensitive comparisons when searching for these. Bear in mind that some of these words, particularly Grant (as a person's name), could also be valid input.
+-- If there are range limits on the values that may be entered, enforce those limits.
+-- Institute procedures for inspection of programs for correct use of dynamic coding, by a party other than the developer.
+-- Conduct rigorous testing of program modules that use dynamic coding, searching for ways to subvert the intended use.
+-- Record the inspection and testing in the system documentation.
+-- Bear in mind that all this applies not only to screen input, but also to the values in an incoming message to a web service or to a stored procedure called by a software component that has not itself been hardened in these ways. Not only can the caller be subject to such vulnerabilities; it may itself be the attacker.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81885V-67395CCI-001310Where dynamic code execution is used, modify the code to implement protections against code injection.Review source code in the database (stored procedures, functions, triggers) and application source code to identify cases of dynamic code execution.
+
+If dynamic code execution is employed without protective measures against code injection, this is a finding.SRG-APP-000311-DB-000308<GroupDescription></GroupDescription>SQL4-00-031900When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage.<VulnDiscussion>Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions.
+
+Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
+
+These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.
+
+One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.
+
+
+SQL Server does not include security labeling as a standard or licensable feature. Earlier releases of this STIG suggested using the SQL Server Label Security Toolkit, from codeplex.com. However, codeplex.com has been shut down, and it is unclear whether the Toolkit is still supported. If the organization does have access to the Toolkit, it may still be used, provided the organization accepts responsibility for its support. Other implementations may also exist. Custom application code is also a viable way to implement a solution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81891V-67401CCI-002262Develop SQL or application code or acquire a third party tool to perform data labeling.If security labeling is not required, this is not a finding.
+
+If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.SRG-APP-000313-DB-000309<GroupDescription></GroupDescription>SQL4-00-032000When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process.<VulnDiscussion>Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions.
+
+Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
+
+These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.
+
+One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.
+
+SQL Server does not include security labeling as a standard or licensable feature. Earlier releases of this STIG suggested using the SQL Server Label Security Toolkit, from codeplex.com. However, codeplex.com has been shut down, and it is unclear whether the Toolkit is still supported. If the organization does have access to the Toolkit, it may still be used, provided the organization accepts responsibility for its support. Other implementations may also exist. Custom application code is also a viable way to implement a solution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81893V-67403CCI-002263Develop SQL or application code or acquire a third party tool to perform data labeling.If security labeling is not required, this is not a finding.
+
+If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding.SRG-APP-000314-DB-000310<GroupDescription></GroupDescription>SQL4-00-032100When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission.<VulnDiscussion>Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions.
+
+Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
+
+These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.
+
+One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.
+
+SQL Server does not include security labeling as a standard or licensable feature. Earlier releases of this STIG suggested using the SQL Server Label Security Toolkit, from codeplex.com. However, codeplex.com has been shut down, and it is unclear whether the Toolkit is still supported. If the organization does have access to the Toolkit, it may still be used, provided the organization accepts responsibility for its support. Other implementations may also exist. Custom application code is also a viable way to implement a solution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81895V-67405CCI-002264Develop SQL or application code or acquire a third party tool to perform data labeling.If security labeling is not required, this is not a finding.
+
+If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding.SRG-APP-000375-DB-000323<GroupDescription></GroupDescription>SQL4-00-033700Time stamps in database tables, intended for auditing or activity-tracking purposes, must include both date and time of day, with a minimum granularity of one second.<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis, in audit files, trace files/tables, and application data tables.
+
+Time stamps generated by SQL Server must include date and time, to a granularity of one second or finer. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the precision available in time stamp values. Granularity coarser than one second is not sufficient for audit trail purposes, and granularity finer than one second is recommended. Time stamp values are typically presented with three or more decimal places of seconds; however, the actual granularity may be coarser than the apparent precision. For example, SQL Server's GETDATE()/CURRENT_TMESTAMP values are presented to three decimal places, but the granularity is not one millisecond: it is about 1/300 of a second.
+
+The data types that can be used for this purpose in SQL Server are:
+DATETIME2 - precision variable from a whole second down to a ten-millionth (subject to the actual precision of the hardware and operating system)
+DATETIMEOFFSET - as datetime2, together with local offset from UTC
+DATE, together with TIME (same precision considerations as for datetime2)
+DATETIME - precision 1/300 of a second
+Character-string data types allowing for at least 20 characters are also permissible, but not recommended.
+
+SQL Server built-in functions for retrieving current timestamps are: (high precision) sysdatetime(), sysdatetimeoffset(), sysutcdatetime(); (lower precision) CURRENT_TIMESTAMP or getdate(), getutcdate().
+
+Ensure that values recorded for tracking purposes in data tables are correctly defined and maintained. (Design decisions about which tables require audit-trail or activity-tracking columns are outside the scope of this STIG. This requirement applies only to the data type and maintenance of such columns if they do exist.)
+
+The SMALLDATETIME data type is not precise enough for this purpose. Although it gives the impression of including a seconds component, the seconds value is always "00".
+
+SQL Server offers a data type called TIMESTAMP that is not a representation of date and time. Rather, it is a database state counter and does not correspond to calendar and clock time. This requirement does not refer to that meaning of TIMESTAMP. To avoid confusion, Microsoft recommends using the newer name for this data type, ROWVERSION, instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81897V-67407CCI-001889Modify applications and/or column/field definitions so that the time stamps in audit-trail and activity-tracking columns/fields in application data include date and time of day, to a granularity of one second or finer, and are recorded accurately.Review the column definitions and contents of audit-trail and activity-tracking timestamps in database tables.
+
+If these are not defined and maintained to include date and time of day, accurate to a granularity of one second or finer, this is a finding.SRG-APP-000428-DB-000386<GroupDescription></GroupDescription>SQL4-00-034700SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.<VulnDiscussion>Databases holding data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.
+
+Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
+
+The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81899V-67409CCI-002475Where full-disk encryption is required, configure Windows and/or the storage system to provide this.
+
+Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE".
+
+Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data".Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
+
+If no information is identified as requiring such protection, this is not a finding.
+
+Review the configuration of SQL Server, Windows, and additional software as relevant.
+
+If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding.
+
+If database transparent data encryption (TDE) is called for, check whether it is enabled:
+In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter.
+
+If the value displayed is False, this is a finding.
+
+If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns.
+
+If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding.SRG-APP-000447-DB-000393<GroupDescription></GroupDescription>SQL4-00-035200When invalid inputs are received, SQL Server must behave in a predictable and documented manner that reflects organizational and system objectives.<VulnDiscussion>A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.
+
+The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81901V-67411CCI-002754Revise and deploy the source code for database program objects (stored procedures, functions, triggers) and application source code, to implement the documented behavior.Review system documentation to determine how input errors are to be handled in general and if any special handling is defined for specific circumstances.
+
+Review the source code for database program objects (stored procedures, functions, triggers) and application source code to identify how the system responds to invalid input.
+
+If it does not implement the documented behavior, this is a finding.SRG-APP-000494-DB-000344<GroupDescription></GroupDescription>SQL4-00-035800Trace or Audit records must be generated when categorized information (e.g., classification levels/security levels) is accessed.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016. Note also that Trace does not support auditing of SELECT statements, whereas Audit does.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide this tracking at the application level, if Trace is used for audit purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81903V-67413CCI-000172Where SQL Server Trace is in use, implement tracking of SELECTs on categorized data at the application level, using the system stored procedure sp_trace_generateevent to write the tracking records to the Trace used for audit purposes.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the application(s) using the database to verify that all SELECT actions on categorized data are being audited, and that the tracking records are written to the SQL Server Trace. If not, this is a finding.
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible.
+
+If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000494-DB-000345<GroupDescription></GroupDescription>SQL4-00-035900Trace or Audit records must be generated when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016. Note also that Trace does not support auditing of SELECT statements, whereas Audit does.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide this tracking at the application level, if Trace is used for audit purposes.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to all schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81905V-67415CCI-000172Where SQL Server Trace is in use, implement tracking of SELECTs on categorized data at the application level, using the system stored procedure sp_trace_generateevent to write the tracking records to the Trace used for audit purposes. Include failed attempts in the tracking.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the application(s) using the database to verify that all SELECT actions on categorized data, including unsuccessful attempts, are being audited; and that the tracking records are written to the SQL Server Trace used for audit purposes. If not, this is a finding.
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible.
+
+If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000495-DB-000328<GroupDescription></GroupDescription>SQL4-00-036200SQL Server must generate Trace or Audit records when privileges/permissions are modified via locally-defined security objects.<VulnDiscussion>Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.
+
+In SQL Server, there is no distinction between modification of permissions and granting or dropping them. However, native SQL Server security functionality may be supplemented with application-specific tables and logic, in which case the following actions on these tables and procedures/triggers/functions are also relevant:
+UPDATE
+EXECUTE
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81907V-67417CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOObtain the list of locally-defined security tables, procedures and functions that require tracking.
+
+If there are none, this is not a finding.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the locally-defined security tables for the existence of triggers to raise a custom event on each Update operation. If such triggers are not present, this is a finding.
+
+Verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+Verify that all EXECUTE actions on locally-defined permissions-related procedures are being audited. If not, this is a finding.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all UPDATE and EXECUTE actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000495-DB-000329<GroupDescription></GroupDescription>SQL4-00-036300SQL Server must generate Trace or Audit records when unsuccessful attempts to modify privileges/permissions via locally-defined security objects occur.<VulnDiscussion>Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.
+
+In SQL Server, there is no distinction between modification of permissions and granting or dropping them. However, native SQL Server security functionality may be supplemented with application-specific tables and logic, in which case the following actions on these tables and procedures/triggers/functions are also relevant:
+UPDATE
+EXECUTE
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to the system views (and all other schema-scoped objects). The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81909V-67419CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOObtain the list of locally-defined security tables, procedures and functions that require tracking. If there are none, this is not a finding.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the locally-defined security tables for the existence of triggers to raise a custom event on each Update operation. If such triggers are not present, this is a finding.
+
+Verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+Verify that all EXECUTE actions on locally-defined permissions-related procedures are being audited. If not, this is a finding.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all UPDATE and EXECUTE actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000496-DB-000334<GroupDescription></GroupDescription>SQL4-00-036400SQL Server must generate Trace or Audit records when locally-defined security objects are modified.<VulnDiscussion>SQL Server protects its built-in security objects (tables, views, functions, procedures, etc.) from alteration by database users and administrators. However, applications sometimes have additional, security-related objects defined in the database. ALTER operations on these objects must be monitored.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81911V-67421CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_CHANGE_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf there are no locally-defined security tables or procedures, this is not a finding.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+162 -- User error message
+164 -- Object:Altered
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_CHANGE_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all CREATE, ALTER, and DROP actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000496-DB-000335<GroupDescription></GroupDescription>SQL4-00-036500SQL Server must generate Trace or Audit records when unsuccessful attempts to modify locally-defined security objects occur.<VulnDiscussion>SQL Server protects its built-in security objects (tables, views, functions, procedures, etc.) from alteration by database users and administrators. However, applications sometimes have additional, security-related objects defined in the database. ALTER operations on these objects must be monitored.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_CHANGE_GROUP causes capture of all attempts, successful and otherwise, to CREATE, ALTER, or DROP any schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81925V-67435CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_CHANGE_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf there are no locally-defined security tables or procedures, this is not a finding.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+162 -- User error message
+164 -- Object:Altered
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_CHANGE_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all CREATE, ALTER, and DROP actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000498-DB-000346<GroupDescription></GroupDescription>SQL4-00-036600Trace or Audit records must be generated when categorized information (e.g., classification levels/security levels) is created.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit INSERT actions at the application level. However, to capture all INSERTs, whether they come from the application or bypass it, the Trace must be configured to cover them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81927V-67437CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for INSERTs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the Trace settings, and the triggers on the tables holding categorized information, to determine whether all INSERT actions on these tables are traced, including failed attempts. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000498-DB-000346<GroupDescription></GroupDescription>SQL4-00-036650Trace or Audit records must be generated when categorized information (e.g., classification levels/security levels) is modified.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit UPDATE actions at the application level. However, to capture all UPDATEs, whether they come from the application or bypass it, the Trace must be configured to cover them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81931V-67441CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for UPDATEs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the triggers on all tables holding categorized information, to determine whether trace events are generated for all UPDATE actions on these tables. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000498-DB-000347<GroupDescription></GroupDescription>SQL4-00-036800Trace or Audit records must be generated when unsuccessful attempts to create categorized information (e.g., classification levels/security levels) occur.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit INSERT actions at the application level. However, to capture all INSERTs, whether they come from the application or bypass it, the Trace must be configured to cover them.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to all schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False; and some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81929V-67439CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for INSERTs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the Trace settings, and the triggers on the tables holding categorized information, to determine whether all INSERT actions on these tables are traced, including failed attempts. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000498-DB-000347<GroupDescription></GroupDescription>SQL4-00-036850Trace or Audit records must be generated when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit UPDATE actions at the application level. However, to capture all UPDATEs, whether they come from the application or bypass it, the Trace must be configured to cover them.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to all schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81933V-67443CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for UPDATEs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the Trace settings, and the triggers on the tables holding categorized information, to determine whether all UPDATE actions on these tables are traced, including failed attempts. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000501-DB-000336<GroupDescription></GroupDescription>SQL4-00-037100SQL Server must generate Trace or Audit records when locally-defined security objects are dropped.<VulnDiscussion>SQL Server protects its built-in security objects (tables, views, functions, procedures, etc.) from alteration by database users and administrators. However, applications sometimes have additional, security-related objects defined in the database. DROP operations on these objects must be monitored.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81923V-67433CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_CHANGE_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If there are no locally-defined security tables or procedures, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+162 -- User error message
+164 -- Object:Altered
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_CHANGE_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all CREATE, ALTER, and DROP actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000501-DB-000337<GroupDescription></GroupDescription>SQL4-00-037200SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur.<VulnDiscussion>SQL Server protects its built-in security objects (tables, views, functions, procedures, etc.) from alteration by database users and administrators. However, applications sometimes have additional, security-related objects defined in the database. DROP operations on these objects must be monitored.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_CHANGE_GROUP causes capture of all attempts, successful and otherwise, to CREATE, ALTER, or DROP any schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81921V-67431CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_CHANGE_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If there are no locally-defined security tables or procedures, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+162 -- User error message
+164 -- Object:Altered
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_CHANGE_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all CREATE, ALTER, and DROP actions on any locally-defined permissions tables, procedures and functions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000502-DB-000348<GroupDescription></GroupDescription>SQL4-00-037300Trace or Audit records must be generated when categorized information (e.g., classification levels/security levels) is deleted.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit DELETE actions at the application level. However, to capture all DELETEs, whether they come from the application or bypass it, the Trace must be configured to cover them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81919V-67429CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for DELETEs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the triggers on all tables holding categorized information, to determine whether trace events are generated for all DELETE actions on these tables. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+
+In the following, replace # with a trace ID being used for the auditing requirements.
+
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000502-DB-000349<GroupDescription></GroupDescription>SQL4-00-037400Trace or Audit records must be generated when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.<VulnDiscussion>Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Since Trace does not provide for tracking SELECT statements, it is necessary to provide that part of the tracking at the application level. Because of this, it may also be appropriate to audit DELETE actions at the application level. However, to capture all DELETEs, whether they come from the application or bypass it, the Trace must be configured to cover them.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to all schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81917V-67427CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event for DELETEs on each table holding categorized information. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOReview the system documentation to determine whether it is required to track categories of information, such as classification or sensitivity level. If it is not, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, review the Trace settings, and the triggers on the tables holding categorized information, to determine whether all DELETE actions on these tables are traced, including failed attempts. If not, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+82-91 -- User-defined Event (at least one of these, matching the triggers; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on tables and views are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000507-DB-000356<GroupDescription></GroupDescription>SQL4-00-038100SQL Server must generate Trace or Audit records when successful accesses to designated objects occur.<VulnDiscussion>Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
+
+Types of access include, but are not necessarily limited to:
+SELECT
+INSERT
+UPDATE
+DELETE
+EXECUTE
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+Trace does not offer tracking of SELECT operations, so where this is required it must be implemented at the application level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81915V-67425CCI-000172Where SQL Server Trace is in use, implement tracking of SELECTs on designated tables at the application level, using the system stored procedure sp_trace_generateevent to write the tracking records to the Trace used for audit purposes.
+
+Create triggers to raise a custom event on each table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Ensure that Trace.sql includes blocks of code for event classes 42, 43, and 162.
+
+Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of objects (tables and stored procedures) where tracking of SELECT, INSERT, UPDATE, DELETE, or EXECUTE actions is required. If there are none, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, review the application(s) using the database to verify that all SELECT actions on categorized data are being audited, and that the tracking records are written to the SQL Server Trace used for audit purposes. If not, this is a finding.
+
+Review the designated tables for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (at least one of these; 90 is used in the supplied script)
+162 -- User error message
+
+If SQL Server Audit is in use, verify that execution of all SELECT, INSERT, UPDATE, DELETE, or EXECUTE actions on the designated objects, is audited,.
+
+If any such actions are not audited, this is a finding.
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all logons and connections are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000507-DB-000357<GroupDescription></GroupDescription>SQL4-00-038200SQL Server must generate Trace or Audit records when unsuccessful accesses to designated objects occur.<VulnDiscussion>Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Types of access include, but are not necessarily limited to:
+SELECT
+INSERT
+UPDATE
+DELETE
+EXECUTE
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990SV-81913V-67423CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of objects (tables and stored procedures) where tracking of SELECT, INSERT, UPDATE, DELETE, or EXECUTE actions is required. If there are none, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event ID should be among those listed; if not, this is a finding:
+
+162 -- User error message
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all logons and connections are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SQL4-00-038300<GroupDescription></GroupDescription>SQL4-00-038300Microsoft SQL Server products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.
+
+Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
+
+When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 DatabaseDISADPMS TargetMS SQL Server 2014 Database3990CCI-003376Upgrade unsupported DBMS or unsupported components to a supported version of the product.Review the version and release information.
+
+Verify the SQL Server version via one of the following methods:
+Connect to the server by using Object Explorer in SQL Server Management Studio. After Object Explorer is connected, it will show the version information in parentheses, together with the user name that is used to connect to the specific instance of SQL Server.
+
+Or, from SQL Server Management Studio:
+
+SELECT @@VERSION;
+
+More information for finding the version is available at the following link:
+https://learn.microsoft.com/en-us/troubleshoot/sql/releases/find-my-sql-version
+
+SQL Server 2014 is no longer supported by the vendor. If the system is running SQL Server 2014 or earlier, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_SQL_Server_2014_Instance_STIG_V2R4_Manual-xccdf.xml b/benchmarks/DISA/U_MS_SQL_Server_2014_Instance_STIG_V2R4_Manual-xccdf.xml
new file mode 100644
index 000000000..8b3494df2
--- /dev/null
+++ b/benchmarks/DISA/U_MS_SQL_Server_2014_Instance_STIG_V2R4_Manual-xccdf.xml
@@ -0,0 +1,3245 @@
+acceptedMS SQL Server 2014 Instance Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>SQL4-00-000100The number of concurrent SQL Server sessions for each system account must be limited.<VulnDiscussion>A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by DoS attacks.
+
+One way SQL Server can limit exposure to DoS attacks is to restrict the number of connections that can be opened by a single user. SQL Server supports this through the use of logon triggers. (Note, however, that this need not be the only, or even the principal, means for satisfying this requirement. Depending on the architecture and capabilities of the network and application, a network device or an application may be more suitable for providing this protection.)
+
+When determining the appropriate values for this limit, take the characteristics of the various kinds of user into account, and bear in mind that some applications and some users may need to have multiple sessions open. For example, while a standard account using a simple application may never need more than, say, five connections, a database administrator using SQL Server Management Studio may need significantly more, because each tab in that application counts as a distinct session.
+
+Architectural note: In SQL Server, a count of active sessions by user can be obtained from one of the dynamic management views. For example:
+ SELECT original_login_name, count(*)
+ FROM sys.dm_exec_sessions
+ WHERE is_user_process = 1
+ GROUP BY original_login_name;
+However, for this to return an accurate count in a logon trigger, the user would have to have the View Server State privilege. (Without this privilege, the trigger sees information only about the current session, so would always return a count of one.) View Server State would give that user access to a wide swath of information about the server. One way to avoid this exposure is to create a summary table, and a view of that table that restricts each user to seeing his/her own count, and establish a frequently-run background job to refresh the table (using the above query or similar). The logon trigger then queries the view to obtain a count that is accurate enough for this purpose in most circumstances.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82247V-67757CCI-000054Establish the limit(s) appropriate to the type(s) of user account accessing the SQL Server instance, and record them in the system documentation.
+
+Implement one or more logon triggers to enforce the limit(s), without exposing the dynamic management views to general users.Review the system documentation to determine whether any limits have been defined. If not, this is a finding.
+
+If one limit has been defined but is not applied to all users, including privileged administrative accounts, this is a finding.
+
+If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding.
+
+If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means.
+
+If it does not work correctly, this is a finding.
+
+Otherwise, determine if a logon trigger exists:
+
+EITHER, in SQL Server Management Studio's Object Explorer tree:
+Expand [SQL Server Instance] >> Security >> Server Objects >> Triggers
+
+OR run the query:
+SELECT * FROM master.sys.server_triggers;
+
+If no triggers are listed, this is a finding.
+
+If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user.
+
+If none are found, this is a finding.
+
+If they are present but disabled, this is a finding.
+
+Examine the trigger source code for logical correctness and for compliance with the documented limit(s).
+
+If errors or variances exist, this is a finding.
+
+Verify that the system does execute the trigger(s) each time a user session is established.
+
+If it does not operate correctly for all types of user, this is a finding.SRG-APP-000033-DB-000084<GroupDescription></GroupDescription>SQL4-00-002010SQL Server must enforce approved authorizations for logical access to server-level system resources in accordance with applicable access control policies.<VulnDiscussion>Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the SQL Server instance and server-level resources. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server instances, must be properly configured to implement access control policies.
+
+Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
+
+This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82251V-67761CCI-000213Use GRANT, REVOKE, DENY, ALTER SERVER ROLE … ADD MEMBER … and/or ALTER SERVER ROLE …. DROP MEMBER statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login.
+
+Review the permissions actually in place on the server.
+
+The server permission functions and views provided in the supplemental file Permissions.sql can help with this.
+
+If the actual permissions do not match the documented requirements, this is a finding.SRG-APP-000141-DB-000092<GroupDescription></GroupDescription>SQL4-00-010200SQL Server default account [sa] must have its name changed.<VulnDiscussion>SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account name and is likely to be targeted by attackers, and is thus more prone to providing unauthorized access to the database.
+
+Since the SQL Server [sa] is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over SQL Server. Since SQL Server needs for this account to exist and it should not be removed, one way to mitigate this risk is to change the [sa] account name.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82345V-67855CCI-000381Modify the SQL Server's [sa] (system administrator) account by running the following script:
+
+USE master;
+GO
+ALTER LOGIN [sa] WITH NAME = <new name>;
+GOVerify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query:
+
+USE master;
+GO
+SELECT *
+FROM sys.sql_logins
+WHERE [name] = 'sa' OR [principal_id] = 1;
+GO
+
+If the login account name "SA" or "sa" appears in the query output, this is a finding.SRG-APP-000090-DB-000065<GroupDescription></GroupDescription>SQL4-00-011300Where SQL Server Trace is in use for auditing purposes, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be traced.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.
+
+Suppression of auditing could permit an adversary to evade detection.
+
+Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+This version of the requirement deals with Trace-based audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82255V-67765CCI-000171Create a server role specifically for audit maintainers, and give it permission to maintain traces, without granting it unnecessary permissions:
+ USE master;
+ GO
+ CREATE SERVER ROLE SERVER_AUDIT_MAINTAINERS;
+ GO
+ GRANT ALTER TRACE TO SERVER_AUDIT_MAINTAINERS;
+ -- Next line only if required:
+ GRANT CREATE TRACE EVENT NOTIFICATION TO SERVER_AUDIT_MAINTAINERS;
+ GO
+(The role name used here is an example; other names may be used.)
+
+Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove the ALTER TRACE and CREATE TRACE EVENT NOTIFICATION permissions from all logins.
+
+Then, for each authorized login, run the statement:
+ ALTER SERVER ROLE SERVER_AUDIT_MAINTAINERS ADD MEMBER <login name>;
+ GOIf SQL Server Trace is not in use for audit purposes, this is not a finding.
+
+Obtain the list of approved audit maintainers from the system documentation.
+
+Review the server roles and individual logins that have the following permissions, all of which enable the ability to create and maintain audit definitions (the views and functions provided in the supplemental fine Permissions.sql can assist in this):
+ALTER TRACE
+CREATE TRACE EVENT NOTIFICATION
+
+The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions:
+ SELECT
+ *
+ FROM
+ STIG.server_permissions P
+ WHERE
+ P.[Permission] IN
+ (
+ 'ALTER TRACE',
+ 'CREATE TRACE EVENT NOTIFICATION'
+ );
+
+To see what logins and server roles inherit these permissions from the server roles reported by the previous query, repeat the following for each one:
+ SELECT * FROM STIG.members_of_server_role(<server role name>);
+
+To see all the permissions in effect for a server principal (server role or login):
+ SELECT * FROM STIG.server_effective_permissions(<principal name>);
+
+If designated personnel are not able to configure auditable events, this is a finding.
+
+If unapproved personnel are able to configure auditable events, this is a finding.SRG-APP-000090-DB-000065<GroupDescription></GroupDescription>SQL4-00-011310Where SQL Server Audit is in use, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the server level.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.
+
+Suppression of auditing could permit an adversary to evade detection.
+
+Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+This version of the requirement deals with SQL Server Audit-based audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82257V-67767CCI-000171Create a server role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions:
+ USE master;
+ GO
+ CREATE SERVER ROLE SERVER_AUDIT_MAINTAINERS;
+ GO
+ GRANT ALTER ANY SERVER AUDIT TO SERVER_AUDIT_MAINTAINERS;
+ GO
+(The role name used here is an example; other names may be used.)
+
+Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY SERVER AUDIT permission from all logins.
+
+Then, for each authorized login, run the statement:
+ ALTER SERVER ROLE SERVER_AUDIT_MAINTAINERS ADD MEMBER <login name>;
+ GO
+
+Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL SERVER, ALTER ANY DATABASE and CREATE ANY DATABASE permissions from logins that do not need them.If SQL Server Audit is not in use, this is not a finding.
+
+Obtain the list of approved audit maintainers from the system documentation.
+
+Review the server roles and individual logins that have the following permissions, all of which enable the ability to create and maintain audit definitions (the views and functions provided in the supplemental fine Permissions.sql can assist in this):
+ALTER ANY SERVER AUDIT
+CONTROL SERVER
+ALTER ANY DATABASE
+CREATE ANY DATABASE
+
+The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions:
+ SELECT
+ *
+ FROM
+ STIG.server_permissions P
+ WHERE
+ P.[Permission] IN
+ (
+ 'ALTER ANY SERVER AUDIT',
+ 'CONTROL SERVER',
+ 'ALTER ANY DATABASE',
+ 'CREATE ANY DATABASE'
+ );
+
+To see what logins and server roles inherit these permissions from the server roles reported by the previous query, repeat the following for each one:
+ SELECT * FROM STIG.members_of_server_role(<server role name>);
+
+To see all the permissions in effect for a server principal (server role or login):
+ SELECT * FROM STIG.server_effective_permissions(<principal name>);
+
+If designated personnel are not able to configure auditable events, this is a finding.
+
+If unapproved personnel are able to configure auditable events, this is a finding.SRG-APP-000091-DB-000066<GroupDescription></GroupDescription>SQL4-00-011410Where SQL Server Audit is in use, SQL Server must generate audit records when privileges/permissions are retrieved.<VulnDiscussion>The system must monitor who/what is reading privilege/permission/role information.
+
+This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that SQL Server continually performs to determine if any and every action on the database is permitted.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+This requirement applies to SQL Server Audit-based audit trails; Trace does not have this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82259V-67769CCI-000172Design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf SQL Server Trace is in use for audit purposes, and SQL Server Audit is not in use, this is not a finding.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT actions on the permissions-related system views, and any locally-defined permissions tables, are being audited:
+
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000096-DB-000040<GroupDescription></GroupDescription>SQL4-00-011900SQL Server must produce Trace or Audit records containing sufficient information to establish when the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82263V-67773CCI-000131Design and deploy a SQL Server Audit or a Trace that captures Start Time and (where relevant) End Time for all auditable events.
+
+The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+The script provided in the supplemental file Audit.sql can be used to create an audit..If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, the event time and date are always captured: this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that for all events it captures the start and (where relevant) end time.
+From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+WITH
+EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(2)),
+E AS (SELECT DISTINCT eventid FROM EC)
+SELECT
+ E.eventid,
+ CASE WHEN EC14.columnid IS NULL THEN 'Start Time (14) missing' ELSE '14 OK' END AS field14,
+ CASE WHEN EC15.columnid IS NULL THEN 'End Time (15) missing' ELSE '15 OK' END AS field15
+FROM E E
+ LEFT OUTER JOIN EC EC14
+ ON EC14.eventid = E.eventid
+ AND EC14.columnid = 14
+ LEFT OUTER JOIN EC EC15
+ ON EC15.eventid = E.eventid
+ AND EC15.columnid = 15
+WHERE
+ EC14.columnid IS NULL OR EC15.columnid IS NULL;
+
+If the resulting list indicates any field specifications are missing, this is a finding.SRG-APP-000097-DB-000041<GroupDescription></GroupDescription>SQL4-00-012000SQL Server must produce Trace or Audit records containing sufficient information to establish where the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use.
+
+An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If SQL Server Audit is enabled, SQL Server does capture the event location-specific information in all audit records.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82265V-67775CCI-000132Design and deploy a SQL Server Audit or Trace that captures the server name, database name, object type, object name and object owner (each where relevant) for all auditable events.
+
+The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+The script provided in the supplemental file Audit.sql can be used to create an audit..If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, the server instance, database, schema, and object names are each automatically captured when applicable; this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that for all events it captures the server name, database name, object type, object name and object owner (each where relevant).
+From the query prompt:
+
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+
+WITH
+EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(#)),
+E AS (SELECT DISTINCT eventid FROM EC)
+SELECT
+ E.eventid,
+ CASE WHEN EC26.columnid IS NULL THEN 'Server Name (26) missing' ELSE '26 OK' END AS field26,
+ CASE WHEN EC35.columnid IS NULL THEN 'Database Name (35) missing' ELSE '35 OK' END AS field35,
+ CASE WHEN EC28.columnid IS NULL THEN 'Object Type (28) missing' ELSE '28 OK' END AS field28,
+ CASE WHEN EC34.columnid IS NULL THEN 'Object Name (34) missing' ELSE '34 OK' END AS field34,
+ CASE WHEN EC37.columnid IS NULL THEN 'Object Owner (37) missing' ELSE '34 OK' END AS field37
+FROM E E
+ LEFT OUTER JOIN EC EC26
+ ON EC26.eventid = E.eventid
+ AND EC26.columnid = 26
+ LEFT OUTER JOIN EC EC35
+ ON EC35.eventid = E.eventid
+ AND EC35.columnid = 35
+ LEFT OUTER JOIN EC EC28
+ ON EC28.eventid = E.eventid
+ AND EC28.columnid = 28
+ LEFT OUTER JOIN EC EC34
+ ON EC34.eventid = E.eventid
+ AND EC34.columnid = 34
+ LEFT OUTER JOIN EC EC37
+ ON EC37.eventid = E.eventid
+ AND EC37.columnid = 37
+WHERE
+ EC26.columnid IS NULL OR EC35.columnid IS NULL OR EC28.columnid IS NULL OR EC34.columnid IS NULL OR EC37.columnid IS NULL;
+
+If the resulting list indicates any field specifications are missing, this is a finding.SRG-APP-000098-DB-000042<GroupDescription></GroupDescription>SQL4-00-012100SQL Server must produce Trace or Audit records containing sufficient information to establish the sources (origins) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use.
+
+The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If Trace is enabled for auditing, SQL Server does capture the source of the event-specific information in all audit records.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82267V-67777CCI-000133Design and deploy a SQL Server Audit or Trace that captures the NT User Name, NT Domain Name, Host Name, Client Process ID, Application Name, Login Name, SPID, DB User Name, and Login SID (each where relevant) for all auditable events.
+
+The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+If SQL Server Audit is intended to be in use, design and deploy an Audit that captures all auditable events. The code provided in the supplemental file Audit.sql can be used as the basis for creating an Audit.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that for all events it captures the NT User Name, NT Domain Name, Host Name, Client Process ID, Application Name, Login Name, SPID, DB User Name, and Login SID (each where relevant).
+From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+WITH
+EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(#)),
+E AS (SELECT DISTINCT eventid FROM EC)
+SELECT
+ E.eventid,
+ CASE WHEN EC6.columnid IS NULL THEN 'NT User Name (6) missing' ELSE '6 OK' END AS field26,
+ CASE WHEN EC7.columnid IS NULL THEN 'NT Domain Name (7) missing' ELSE '7 OK' END AS field7,
+ CASE WHEN EC8.columnid IS NULL THEN 'Host Name (8) missing' ELSE '8 OK' END AS field8,
+ CASE WHEN EC9.columnid IS NULL THEN 'Client Process ID (9) missing' ELSE '9 OK' END AS field9,
+ CASE WHEN EC10.columnid IS NULL THEN 'Application Name (10) missing' ELSE '10 OK' END AS field10,
+ CASE WHEN EC11.columnid IS NULL THEN 'Login Name (11) missing' ELSE '11 OK' END AS field11,
+ CASE WHEN EC12.columnid IS NULL THEN 'SPID (12) missing' ELSE '12 OK' END AS field12,
+ CASE WHEN EC40.columnid IS NULL THEN 'DB User Name (40) missing' ELSE '40 OK' END AS field40,
+ CASE WHEN EC41.columnid IS NULL THEN 'Login SID (41) missing' ELSE '41 OK' END AS field41
+FROM E E
+ LEFT OUTER JOIN EC EC6
+ ON EC6.eventid = E.eventid
+ AND EC6.columnid = 6
+ LEFT OUTER JOIN EC EC7
+ ON EC7.eventid = E.eventid
+ AND EC7.columnid = 7
+ LEFT OUTER JOIN EC EC8
+ ON EC8.eventid = E.eventid
+ AND EC8.columnid = 8
+ LEFT OUTER JOIN EC EC9
+ ON EC9.eventid = E.eventid
+ AND EC9.columnid = 9
+ LEFT OUTER JOIN EC EC10
+ ON EC10.eventid = E.eventid
+ AND EC10.columnid = 10
+ LEFT OUTER JOIN EC EC11
+ ON EC11.eventid = E.eventid
+ AND EC11.columnid = 11
+ LEFT OUTER JOIN EC EC12
+ ON EC12.eventid = E.eventid
+ AND EC12.columnid = 12
+ LEFT OUTER JOIN EC EC40
+ ON EC40.eventid = E.eventid
+ AND EC40.columnid = 40
+ LEFT OUTER JOIN EC EC41
+ ON EC41.eventid = E.eventid
+ AND EC41.columnid = 41
+WHERE
+ EC6.columnid IS NULL OR EC7.columnid IS NULL OR EC8.columnid IS NULL OR EC9.columnid IS NULL
+ OR EC10.columnid IS NULL OR EC11.columnid IS NULL OR EC12.columnid IS NULL
+ OR EC40.columnid IS NULL OR EC41.columnid IS NULL;
+
+If the resulting list indicates any field specifications are missing, this is a finding.
+
+If SQL Server Audit is in use, check to see that all audit records include enough information to establish the sources of the events; if not, this is a finding.SRG-APP-000099-DB-000043<GroupDescription></GroupDescription>SQL4-00-012200SQL Server must produce Trace or Audit records containing sufficient information to establish the outcome (success or failure) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use.
+
+Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+If Trace is enabled for auditing, SQL Server does capture the outcome status information in all audit records.
+
+If SQL Server Audit is enabled, the [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82269V-67779CCI-000134If Trace is in use for audit purposes, design and deploy a Trace that captures the NT User Name, NT Domain Name, Host Name, Login Name, DB User Name and Login SID (each where relevant) for all auditable events. The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+If SQL Server Audit is intended to be in use, design and deploy an Audit that captures all auditable events. The code provided in the supplemental file Audit.sql can be used as the basis for creating an Audit.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, the Succeeded column is populated for all relevant events: this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that for all events it captures the Success flag (successful use of permissions), State and Error number (each where relevant).
+From the query prompt:
+
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+
+WITH
+EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(#)),
+E AS (SELECT DISTINCT eventid FROM EC)
+SELECT
+ E.eventid,
+ CASE WHEN EC23.columnid IS NULL THEN 'Success (successful use of permissions) (23) missing' ELSE '23 OK' END AS field23,
+ CASE WHEN EC30.columnid IS NULL THEN 'State (30) missing' ELSE '30 OK' END AS field30,
+ CASE WHEN EC31.columnid IS NULL THEN 'Error (31) missing' ELSE '31 OK' END AS field31
+FROM E E
+ LEFT OUTER JOIN EC EC23
+ ON EC23.eventid = E.eventid
+ AND EC23.columnid = 23
+ LEFT OUTER JOIN EC EC30
+ ON EC30.eventid = E.eventid
+ AND EC30.columnid = 30
+ LEFT OUTER JOIN EC EC31
+ ON EC31.eventid = E.eventid
+ AND EC31.columnid = 31
+WHERE
+ EC23.columnid IS NULL OR EC30.columnid IS NULL OR EC31.columnid IS NULL;
+
+If the resulting list indicates any field specifications are missing, this is a finding.SRG-APP-000100-DB-000201<GroupDescription></GroupDescription>SQL4-00-012300SQL Server must produce Trace or Audit records containing sufficient information to establish the identity of any user/subject associated with the event.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82271V-67781CCI-001487If Trace is in use for audit purposes, design and deploy a Trace that captures the NT User Name, NT Domain Name, Host Name, Login Name, DB User Name and Login SID (each where relevant) for all auditable events. The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+If SQL Server Audit is intended to be in use, design and deploy an Audit that captures all auditable events. The code provided in the supplemental file Audit.sql can be used as the basis for creating an Audit.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, the Principal Name columns are populated for all relevant events: this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that for all events it captures the NT User Name, NT Domain Name, Host Name, Login Name, DB User Name and Login SID (each where relevant).
+From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+WITH
+EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(#)),
+E AS (SELECT DISTINCT eventid FROM EC)
+SELECT
+ E.eventid,
+ CASE WHEN EC6.columnid IS NULL THEN 'NT User Name (6) missing' ELSE '6 OK' END AS field26,
+ CASE WHEN EC7.columnid IS NULL THEN 'NT Domain Name (7) missing' ELSE '7 OK' END AS field7,
+ CASE WHEN EC8.columnid IS NULL THEN 'Host Name (8) missing' ELSE '8 OK' END AS field8,
+ CASE WHEN EC11.columnid IS NULL THEN 'Login Name (11) missing' ELSE '11 OK' END AS field11,
+ CASE WHEN EC40.columnid IS NULL THEN 'DB User Name (40) missing' ELSE '40 OK' END AS field40,
+ CASE WHEN EC41.columnid IS NULL THEN 'Login SID (41) missing' ELSE '41 OK' END AS field41
+FROM E E
+ LEFT OUTER JOIN EC EC6
+ ON EC6.eventid = E.eventid
+ AND EC6.columnid = 6
+ LEFT OUTER JOIN EC EC7
+ ON EC7.eventid = E.eventid
+ AND EC7.columnid = 7
+ LEFT OUTER JOIN EC EC8
+ ON EC8.eventid = E.eventid
+ AND EC8.columnid = 8
+ LEFT OUTER JOIN EC EC11
+ ON EC11.eventid = E.eventid
+ AND EC11.columnid = 11
+ LEFT OUTER JOIN EC EC40
+ ON EC40.eventid = E.eventid
+ AND EC40.columnid = 40
+ LEFT OUTER JOIN EC EC41
+ ON EC41.eventid = E.eventid
+ AND EC41.columnid = 41
+WHERE
+ EC6.columnid IS NULL OR EC7.columnid IS NULL OR EC8.columnid IS NULL
+ OR EC11.columnid IS NULL OR EC40.columnid IS NULL OR EC41.columnid IS NULL;
+
+If the resulting list indicates any field specifications are missing, this is a finding.SRG-APP-000101-DB-000044<GroupDescription></GroupDescription>SQL4-00-012400SQL Server must include organization-defined additional, more detailed information in Trace or Audit records for events identified by type, location, or subject.<VulnDiscussion>SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
+
+SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from.
+
+Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82273V-67783CCI-000135If Trace is in use for audit purposes, where SQL Server's trace facilities can provide the necessary data, define and enable a trace that captures all organization-defined auditable events and fields. The script provided in the supplemental file Trace.sql can be used for this, after appropriate editing.
+
+Where SQL Server's trace facilities cannot provide the necessary data, designate the event code(s) that will be used (Microsoft provides codes 82 through 91 for this purpose), design and deploy triggers that will recognize the events and invoke sp_trace_generateevent to populate the trace with the necessary information. Add a block of sp_trace_setevent calls to the trace script for each event code designated for this purpose.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using database audit specifications, Extended Events and/or triggers.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Review system documentation to determine whether SQL Server is required to audit any events, and any fields, in addition to those in the standard audit or audit-oriented trace.
+
+If there are none specified, this is not a finding.
+
+If SQL Server Trace is in use for audit purposes, review the audit-oriented trace definition script(s) to identify any events and/or fields that are required but not in the script.
+
+If any such are identified, this is a finding.
+
+If SQL Server Audit is in use, compare the audit specification(s) with the documented requirements.
+
+If any such requirement is not satisfied by the audit specification(s) (or by supplemental, locally-deployed mechanisms), this is a finding.SRG-APP-000109-DB-000049<GroupDescription></GroupDescription>SQL4-00-013000Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.<VulnDiscussion>It is critical that when SQL Server is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+
+When the need for system availability does not outweigh the need for a complete audit trail, SQL Server should shut down immediately, rolling back all in-flight transactions.
+
+Systems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82275V-67785CCI-000140If Trace is in use for audit purposes, redefine the trace, with @options = 6. The script provided in the supplemental file Trace.sql can be used to do this.
+
+If SQL Server Audit is in use, configure SQL Server Audit to shut SQL Server down upon audit failure, to include running out of space for audit logs. Run this T-SQL script for each identified audit:
+ALTER SERVER AUDIT <server_audit_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT <server_audit_name> WITH (ON_FAILURE = SHUTDOWN);
+GO
+ALTER SERVER AUDIT <server_audit_name> WITH (STATE = ON);
+GO
+The audit defined in the supplemental file Audit.sql includes this setting.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA).
+
+If SQL Server Trace is in use for audit purposes, run the statement:
+SELECT * FROM sys.traces;
+
+In the results of the SELECT, identify the row representing the trace used for audit purposes. Examine the values in that row.
+
+If is_shutdown = 0, this is a finding.
+
+If SQL Server Audit is in use, review the defined server audits by running the statement:
+SELECT * FROM sys.server_audits;
+By observing the [name] and [is_state_enabled] columns, identify the row or rows in use.
+
+If the [on_failure_desc] is "SHUTDOWN SERVER INSTANCE" on this/these row(s), this is not a finding. Otherwise, this is a finding.SRG-APP-000118-DB-000059<GroupDescription></GroupDescription>SQL4-00-013600The audit information produced by SQL Server must be protected from unauthorized read access.<VulnDiscussion>If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc.
+
+SQL Server and third-party tools are examples of applications that are easily able to view and manipulate audit file data. Additionally, applications with user interfaces to audit records should not allow unfettered manipulation of, or access to, those records via any application. If an application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access.
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections, and limiting log data location.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82279V-67789CCI-000162Edit the system security plan to include justification and authorization for any less restrictive permissions that are present and needed. (An example might be where Auditors need "Read & Execute" rather than "Read" alone.)
+
+Modify audit file permissions to meet the requirement to protect against unauthorized access.
+
+Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties.
+On the Security tab, modify the security permissions to:
+Administrator(read)
+Users (none)
+Audit Administrator(Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list.
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab
+3) Click "Edit"
+4) Click "Add"
+5) Click "Locations"
+6) Select the computer name
+7) Search for the name
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names"
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK
+8) Click OK
+9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script:
+SELECT DISTINCT
+LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path"
+FROM sys.traces
+UNION
+SELECT log_file_path AS "Audit Path"
+FROM sys.server_file_audits
+
+For each audit, the path column will give the location of the file.
+
+Verify that all audit files have the correct permissions by doing the following for each audit file:
+Navigate to audit folder location(s) using a command prompt or Windows Explorer.
+Right-click the file/folder, then click Properties. On the Security tab, verify that at most the following permissions are applied:
+Administrator(read)
+Users (none)
+Audit Administrator (Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding.
+
+If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding.
+
+If Trace is in use, SQL Server creates each trace file with a standard set of permissions, overriding the folder permissions. It grants full control to OWNER RIGHTS, Administrators, and <SQL Server Instance name>.
+
+Since this is not configurable, this is not a finding.
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, the user can opt to have these provisioned for them. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list:
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab.
+3) Click "Edit".
+4) Click "Add".
+5) Click "Locations".
+6) Select the computer name.
+7) Search for the name.
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK.
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names".
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK.
+8) Click OK.
+9) Permission like a normal user from here.SRG-APP-000119-DB-000060<GroupDescription></GroupDescription>SQL4-00-013700The audit information produced by SQL Server must be protected from unauthorized modification.<VulnDiscussion>If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions, and limiting log data locations.
+
+Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make decisions regarding the modification of audit data.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+Modification of database audit data could mask the theft or unauthorized modification of sensitive data stored in the database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82281V-67791CCI-000163Edit the system security plan to include justification and authorization for any less restrictive permissions that are present and needed. (An example might be where Auditors need "Read & Execute" rather than "Read" alone.)
+
+Modify audit file permissions to meet the requirement to protect against unauthorized modification.
+
+Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. On the Security tab, modify the security permissions to:
+Administrator(read)
+Users (none)
+Audit Administrator(Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list.
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab
+3) Click "Edit"
+4) Click "Add"
+5) Click "Locations"
+6) Select the computer name
+7) Search for the name
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names"
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK
+8) Click OK
+9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script:
+SELECT DISTINCT
+LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path"
+FROM sys.traces
+UNION
+SELECT log_file_path AS "Audit Path"
+FROM sys.server_file_audits
+
+For each audit, the Audit Path column will give the location of the file.
+
+Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. The following instructions assume Windows Explorer is used.
+
+Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied:
+Administrator(read)
+Users (none)
+Audit Administrator (Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding.
+
+If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding.
+
+If Trace is in use, SQL Server creates each trace file with a standard set of permissions, overriding the folder permissions. It grants full control to OWNER RIGHTS, Administrators and <SQL Server Instance name>.
+
+Since this is not configurable, this is not a finding.
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list.
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab
+3) Click "Edit"
+4) Click "Add"
+5) Click "Locations"
+6) Select the computer name
+7) Search for the name
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names"
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK
+8) Click OK
+9) Permission like a normal user from hereSRG-APP-000120-DB-000061<GroupDescription></GroupDescription>SQL4-00-013800The audit information produced by SQL Server must be protected from unauthorized deletion.<VulnDiscussion>If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design.
+
+Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
+
+Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make decisions regarding the deletion of audit data.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+Deletion of database audit data could mask the theft or unauthorized modification of sensitive data stored in the database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82283V-67793CCI-000164Modify audit file permissions to meet the requirement to protect against unauthorized deletion.
+
+Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties.
+On the Security tab, modify the security permissions to:
+Administrator(read)
+Users (none)
+Audit Administrator(Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list.
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab
+3) Click "Edit"
+4) Click "Add"
+5) Click "Locations"
+6) Select the computer name
+7) Search for the name
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names"
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK
+8) Click OK
+9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script:
+SELECT DISTINCT
+LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path"
+FROM sys.traces
+UNION
+SELECT log_file_path AS "Audit Path"
+FROM sys.server_file_audits
+
+For each audit, the path column will give the location of the file.
+
+Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer.
+
+Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied:
+Administrator(read)
+Users (none)
+Audit Administrator (Full Control)
+Auditors group (Read)
+SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2]
+SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
+
+If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding.
+
+If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding.
+
+-----
+
+Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx.
+
+Note 2: Tips for adding a service SID/virtual account to a folder's permission list.
+1) In Windows Explorer, right-click on the folder and select "Properties."
+2) Select the "Security" tab
+3) Click "Edit"
+4) Click "Add"
+5) Click "Locations"
+6) Select the computer name
+7) Search for the name
+7.a) SQL Server Service
+7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.)
+7.a.ii) Select the "MSSQL$<instance name>" user and click OK
+7.b) SQL Agent Service
+7.b.i) Type "NT SERVICE\SQL" and click "Check Names"
+7.b.ii) Select the "SQLAgent$<instance name>" user and click OK
+8) Click OK
+9) Permission like a normal user from hereSRG-APP-000121-DB-000202<GroupDescription></GroupDescription>SQL4-00-013900Audit tools used in, or in conjunction with, SQL Server must be protected from unauthorized access.<VulnDiscussion> Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
+
+Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access.
+
+Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding access to the audit tools. SQL Server is an application that does provide access to audit data.
+
+Audit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open source audit tools needed to successfully view and manipulate audit information system activity and records.
+
+If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82285V-67795CCI-001493Remove audit-related permissions from individuals and roles not authorized to have them.Check the server documentation for a list of approved users with access to SQL Server Audits.
+
+To create, alter, or drop a server audit, principals require the "ALTER ANY SERVER AUDIT" or the "CONTROL SERVER" permission. To view an Audit log requires the "CONTROL SERVER" permission. To use Profiler, "ALTER TRACE" is required.
+
+Review the SQL Server permissions granted to principals. Look for permissions "ALTER ANY SERVER AUDIT", "ALTER ANY DATABASE AUDIT", "CONTROL SERVER", and "ALTER TRACE":
+
+SELECT login.name, perm.permission_name, perm.state_desc
+FROM sys.server_permissions perm -- or STIG.server_permissions
+JOIN sys.server_principals login
+ON perm.grantee_principal_id = login.principal_id
+WHERE permission_name in ('CONTROL SERVER', 'ALTER ANY DATABASE AUDIT', 'ALTER ANY SERVER AUDIT','ALTER TRACE')
+and login.name not like '##MS_%';
+
+If unauthorized accounts have these privileges, this is a finding.SRG-APP-000122-DB-000203<GroupDescription></GroupDescription>SQL4-00-014000SQL Server and/or the operating system must protect its audit configuration from unauthorized modification.<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
+
+Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+This focuses on external tools for log maintenance and review. Other STIG requirements govern SQL Server privileges to maintain trace or audit definitions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82293V-67803CCI-001494Apply or modify Windows permissions on tools used to view or modify audit log data (to include traces used for audit purposes), to make them accessible by authorized personnel only.In Windows, review the access permissions to tools used to view or modify audit log data (to include traces used for audit purposes).
+
+If appropriate permissions and access controls to prevent unauthorized changes are not applied to these tools, this is a finding.SRG-APP-000123-DB-000204<GroupDescription></GroupDescription>SQL4-00-014100SQL Server and the operating system must protect SQL Server audit features from unauthorized removal.<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
+
+Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.
+
+Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+This focuses on external tools for log maintenance and review. Other STIG requirements govern SQL Server privileges to maintain trace or audit definitions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82295V-67805CCI-001495Apply or modify Windows permissions on tools used to view or modify audit log data (to include traces used for audit purposes), to make them accessible by authorized personnel only.In Windows, review the access permissions to tools used to view or modify audit log data (to include traces used for audit purposes).
+
+If appropriate permissions and access controls to prevent unauthorized deletions are not applied to these tools, this is a finding.SRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL4-00-015300SQL Server security-relevant configuration settings must be monitored to discover unauthorized changes.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to security-relevant configuration settings of SQL Server can potentially have significant effects on the overall security of the system.
+
+If SQL Server were to allow any user to make changes to configuration settings, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the configuration of SQL Server's hosted application and the security-relevant configuration settings of SQL Server.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to these security-relevant configuration settings for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to SQL Server software libraries or configuration can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82299V-67809CCI-001499Document the monitoring of security-relevant configuration settings to discover unauthorized changes within the system documentation.
+
+Document the specific users or types of security personnel that are able to monitor security-relevant configuration settings to discover unauthorized changes.
+
+Deploy and implement a third-party tool or some other SQL Server method of monitoring security-relevant configuration settings to discover unauthorized changes.Verify within the system documentation that SQL Server is monitored for security-relevant configuration settings to discover unauthorized changes.
+
+This can be done by a third-party tool or a SQL script that does baselining and then comparisons.
+
+If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.SRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL4-00-015350Software, applications, and configuration files that are part of, or related to, the SQL Server installation must be monitored to discover unauthorized changes.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of applications and tools related to SQL Server can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals shall be allowed to obtain access to components related to SQL Server for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to the software libraries or configuration can lead to unauthorized or compromised installations.
+
+Of particular note in this context is that any software installed for auditing and/or audit file management must be protected and monitored.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82297V-67807CCI-001499Include locations of all files, libraries, scripts, and executables that are part of, or related to, the SQL Server 2014 installation in the documentation.
+
+Ensure that files and folders that are part of, or related to, the SQL Server 2014 installation have only the following privileges. Right-click the file/folder, click Properties. On the Security tab, modify the security permissions, so that at most the following permissions are present:
+Trusted Installer (Full Control)
+SYSTEM (FULL CONTROL)
+Administrators (FULL CONTROL)
+Users (READ, LIST FOLDER CONTENTS, READ & EXECUTE)
+Creator Owner (Special Permissions - Full control - Subfolders and files only)
+All Application Packages (Read & Execute) [Only as needed - see Note 2]
+
+Ensure that files and folders that are part of, or related to, the SQL Server 2014 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, use the Add or Edit buttons and the dialogs that follow from them, to set up the following on at least one audit:
+Type: All
+Principal: Everyone
+Access: Modify
+Applies to: This Folder, subfolder, and files [where applicable]
+
+Deploy a third-party security and data integrity tool for monitoring and alerting files and folders based on cryptographic hashes, to verify files/folder locations as listed in the documentation.
+
+Note 1: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (or another appropriate group of administrators) and providing the local Administrators group with Read access only.
+
+Note 2: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.)Verify that files and folders that are part of, or related to, the SQL Server 2014 installation have only the appropriate privileges. In Windows Explorer, right-click the file/folder, click Properties. On the Security tab, modify the security permissions, so that at most the following permissions are present:
+Trusted Installer (Full Control)
+SYSTEM (Full Control)
+Administrators (Full Control) [See Note 1]
+Users (Read, List Folder Contents, Read & Execute)
+Creator Owner (Special Permissions - Full control - Subfolders and files only)
+All Application Packages (Read & Execute) [Only as needed - see Note 2]
+
+If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.
+
+Verify that files and folders that are part of, or related to, the SQL Server 2014 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit:
+Type: All
+Principal: Everyone
+Access: Modify
+Applies to: This Folder, subfolder, and files [where applicable]
+
+If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding.
+
+If a third-party security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding.
+
+If the tool does not verify files/folder locations as listed in the documentation, this is a finding.
+
+Note 1: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (or another appropriate group of administrators) and providing the local Administrators group with Read access only.
+
+Note 2: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.)SRG-APP-000133-DB-000198<GroupDescription></GroupDescription>SQL4-00-015400SQL Server software installation account(s) must be restricted to authorized users.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
+
+If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependent. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
+
+DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on SQL Server security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82301V-67811CCI-001499From a Command Prompt, open lusrmgr.msc. Navigate to Users >> right-click individual user >> Properties >> Member Of.
+
+Configure SQL Server & OS settings and access controls, to restrict user access to objects and data that the user is authorized to view or interact with.
+
+Develop, document, and implement procedures to restrict use of the DBMS software installation account.Check system documentation for policy and procedures to restrict use of the SQL Server software installation account.
+
+Check OS settings to determine whether users are restricted from accessing SQL Server objects and data they are not authorized to access by checking the local OS user accounts.
+
+From a Command Prompt, open lusrmgr.msc. Navigate to Users >> right-click individual user >> Properties >> Member Of.
+
+If appropriate access controls for all users are not implemented to restrict access to only authorized users and to restrict the access of those users to objects and data they are authorized, this is a finding.
+
+Review procedures for controlling and granting access to use of the SQL Server software installation account.
+
+If access or use of this account is not restricted to the minimum number of personnel required, or unauthorized access to this account has been granted, this is a finding.SRG-APP-000133-DB-000199<GroupDescription></GroupDescription>SQL4-00-015500Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
+
+Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82303V-67813CCI-001499Separate database files (software, data) into dedicated directories.Verify the SQL Server installations present on the server.
+
+From a Command Prompt, type regedit.exe, and press [ENTER].
+
+Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry.
+
+Analysis Services Instances are registered in the OLAP subfolder.
+Reporting Services Instances are registered in the RS subfolder.
+Standard SQL Server (database engine) Instances are registered in the SQL subfolder.
+
+Inside each one of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME].
+
+An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders.
+
+To find the installation location of a particular instance, navigate to the following location in the Windows Registry:
+
+HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance.
+
+Navigate to that folder location using a Command Prompt or Windows Explorer. Only applications that are required for the functioning and administration, not use, of SQL Server should be located on the same directory node as the SQL Server software libraries.
+
+If any files or subfolders that are not part of the SQL Server installation are in the folder, this is a finding.SRG-APP-000141-DB-000090<GroupDescription></GroupDescription>SQL4-00-016200SQL Server must have the publicly available Northwind sample database removed.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements and providing a wide array of functionality not required for every mission, but which cannot be disabled.
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Even though the very popular "Northwind" database is no longer installed by default, it introduces a vulnerability to SQL Server and must be removed, if present.
+
+Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82307V-67817CCI-000381Remove the publicly available "Northwind" database from SQL Server by running the following script:
+
+USE master;
+GO
+DROP DATABASE Northwind;
+GOCheck SQL Server for the existence of the publicly available "Northwind" database by performing the following query:
+
+SELECT name FROM sysdatabases WHERE name LIKE 'Northwind%';
+
+If the "Northwind" database is present, this is a finding.SRG-APP-000141-DB-000090<GroupDescription></GroupDescription>SQL4-00-016300SQL Server must have the publicly available pubs sample database removed.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements and providing a wide array of functionality not required for every mission, but which cannot be disabled.
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Even though the formerly popular "pubs" database is no longer installed by default, it introduces a vulnerability to SQL Server and must be removed, if present.
+
+Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82309V-67819CCI-000381Remove the publicly available "pubs" database from SQL Server by running the following script:
+
+USE master;
+GO
+DROP DATABASE pubs;
+GOCheck SQL Server for the existence of the publicly available "pubs" database by performing the following query:
+
+SELECT name FROM sysdatabases WHERE name LIKE 'pubs%';
+
+If the "pubs" database is present, this is a finding.SRG-APP-000141-DB-000090<GroupDescription></GroupDescription>SQL4-00-016310SQL Server must have the publicly available AdventureWorks sample database removed.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements and providing a wide array of functionality not required for every mission, but which cannot be disabled.
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Even though the very popular "AdventureWorks" database is no longer installed by default, it introduces a vulnerability to SQL Server and must be removed, if present.
+
+Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82311V-67821CCI-000381Remove the publicly available "AdventureWorks" database from SQL Server by running the following script:
+
+USE master;
+GO
+DROP DATABASE AdventureWorks;
+GOCheck SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query:
+
+SELECT name FROM sysdatabases WHERE name LIKE 'AdventureWorks%';
+
+If the "AdventureWorks" database is present, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016500SQL Server must have the SQL Server Data Tools (SSDT) software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Data Tools (SSDT) software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82313V-67823CCI-000381Document the requirement for SQL Server Data Tools to reside on this server.
+
+If it is not required, using an account with System Administrator privileges, from Command Prompt, open control.exe.
+
+Navigate to Programs and Features. Remove the following entries in the 'Uninstall or change a program' window.
+
+Microsoft SQL Server Data Tools - Database Projects - Web installer entry point
+Prerequisites for SSDTReview the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe.
+
+Navigate to Programs and Features. Check for the following entries in the 'Uninstall or change a program' window.
+
+Microsoft SQL Server Data Tools - Database Projects - Web installer entry point
+Prerequisites for SSDT
+
+If SQL Server Data Tools is not documented as a server requirement, and these entries exist, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016600SQL Server must have the SQL Server Reporting Services (SSRS) software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Reporting Services (SSRS) software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82315V-67825CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Reporting Services - Native; select Reporting Services Add-in for SharePoint Products if it is present; click Next.
+
+Follow the remaining prompts, to remove SQL Server Reporting Services from SQL Server.If the SQL Server service "SQL Server Reporting Services (<Instance Name>)" is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Server Reporting Services (<Instance Name>)".
+
+If the "SQL Server Reporting Services (<Instance Name>)" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016700SQL Server must have the SQL Server Integration Services (SSIS) software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Integration Services (SSIS) software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82317V-67827CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select '<< Remove shared features only >>'; click Next. Note: all SQL Server 2014 instances will be affected by this action.
+
+Select Integration Services; click Next.
+
+Follow the remaining prompts, to remove SQL Server Integration Services from SQL Server.If the SQL Server service "SQL Server Integration Services 12.0" is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Server Integration Services 12.0".
+
+If the "SQL Server Integration Services 12.0" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016800SQL Server must have the SQL Server Analysis Services (SSAS) software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Analysis Service (SSAS) software component removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82319V-67829CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Analysis Services; click Next.
+
+Follow the remaining prompts, to remove SQL Server Analysis Services from SQL Server.If the SQL Server service "SQL Server Analysis Services (<Instance Name>)" is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Server Analysis Services (<Instance Name>)".
+
+If the "SQL Server Analysis Services (<Instance Name>)" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016805SQL Server must have the SQL Server Distributed Replay Client software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Distributed Replay Client software component must be removed if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82321V-67831CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select a SQL Server instance; click Next. (Note: all instances of SQL Server 2012 or higher may be affected by this action.)
+
+Select Distributed Replay Client; click Next.
+
+Follow the remaining prompts, to remove Distributed Replay Client from SQL Server.If the SQL Server service "SQL Server Distributed Replay Client" is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Server Distributed Replay Client".
+
+If the "SQL Server Distributed Replay Client" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016810SQL Server must have the SQL Server Distributed Replay Controller software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Distributed Replay Controller software component must be removed if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82323V-67833CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select '<< Remove shared features only >>'; click Next. (Note: all instances of SQL Server 2012 or higher may be affected by this action.)
+
+Select Distributed Replay Controller; click Next.
+
+Follow the remaining prompts, to remove Distributed Replay Controller from SQL Server.If the SQL Server service "SQL Server Distributed Replay Controller" is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Server Distributed Replay Controller".
+
+If the "SQL Server Distributed Replay Controller" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016815SQL Server must have the Full-Text Search software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Full-Text Search software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82325V-67835CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Full-Text and Semantic Extractions for Search; click Next.
+
+Follow the remaining prompts, to remove Full-Text and Semantic Extractions for Search from SQL Server.If the SQL Server full-text search feature is used and satisfies organizational requirements, this is not a finding.
+
+From a command prompt or the Start menu, using an account with System Administrator Privilege, open services.msc. Look for: "SQL Full-text Daemon Launcher(<Instance name>)".
+
+If the "SQL Full-text Daemon Launcher(<Instance name>)" service exists, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016820SQL Server must have the Master Data Services software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Master Data Services software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82327V-67837CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select '<< Remove shared features only >>'; click Next. Note: all SQL Server 2014 instances will be affected by this action.)
+
+Select Master Data Services; click Next.
+
+Follow the remaining prompts, to remove Master Data Services from SQL Server.If the Master Data Services feature is used and satisfies organizational requirements, this is not a finding.
+
+Click on the Start button. Navigate to >> Microsoft SQL Server 2014 >> Master Data Services.
+
+If the "Master Data Services" folder exists and contains any programs, this is a finding.
+
+In Windows Explorer, navigate to <drive where SQL Server is installed>:\Program Files\Microsoft SQL Server\120\Master Data Services\.
+
+If this exists and contains any files, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016826SQL Server must have the SQL Server Replication software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The SQL Server Replication software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82329V-67839CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select SQL Server Replication; click Next.
+
+Follow the remaining prompts, to remove SQL Server Replication from SQL Server.If the SQL Server Replication feature is used and satisfies organizational requirements, this is not a finding.
+
+In SQL Server Management Studio, Object Explorer, expand the instance. Right-click Replication >> New >> Publication.
+
+If the Publication Wizard appears, with no error message, this is a finding.
+
+Right-click Replication >> New >> Subscription.
+
+If the Subscription Wizard appears, with no error message, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016830SQL Server must have the Data Quality Client software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Data Quality Client software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82331V-67841CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Data Quality Client; click Next.
+
+Follow the remaining prompts, to remove Data Quality Client from SQL Server.If the Data Quality Client feature is used and satisfies organizational requirements, this is not a finding.
+
+In Windows Server 2008 R2 or lower, click on the Start button. In the Start menu, navigate to All Programs >> Microsoft SQL Server 2014.
+
+If the "Data Quality Services" folder exists and contains the Data Quality Client program, this is a finding.
+
+In Windows Server 2012 or higher, click on the Start button. In the Start menu, navigate to Apps >> Microsoft SQL Server 2014.
+
+If the Data Quality Client program is listed, this is a finding.
+
+In Windows Explorer, navigate to <drive where SQL Server is installed>:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\DQ\
+
+If this folder exists and contains the file DataQualityServices.exe, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016835SQL Server must have the Data Quality Services software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Data Quality Services software component must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82333V-67843CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Data Quality Services; click Next.
+
+Follow the remaining prompts, to remove Data Quality Services from SQL Server.
+
+Then run the following script:
+USE master;
+GO
+DROP DATABASE DQS_STAGING;
+GO
+DROP DATABASE DQS_PROJECTS;
+GO
+DROP DATABASE DQS_MAIN;
+GO
+
+Restart the server.If the Data Quality Services feature is used and satisfies organizational requirements, this is not a finding.
+
+Run the query:
+SELECT * FROM sys.databases WHERE name in ('DQS_MAIN', 'DQS_PROJECTS', 'DQS_STAGING_DATA');
+
+If any rows are returned, this is a finding.
+
+In Windows Server 2008 R2 or lower, click on the Start button. In the Start menu, navigate to All Programs >> Microsoft SQL Server 2014.
+
+If the "Data Quality Services" folder exists and contains the Data Quality Server Installer program, this is a finding.
+
+In Windows Server 2012 or higher, click on the Start button. In the Start menu, navigate to Apps >> Microsoft SQL Server 2014.
+
+If the Data Quality Server Installer program is listed, this is a finding.
+
+In Windows Explorer, navigate to <drive where SQL Server is installed>:\Program Files\Microsoft SQL Server\MSSQL12.<Instance name>\MSSQL\Binn\
+
+If this contains the file DQSInstaller.exe, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016845SQL Server must have the Client Tools SDK software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Client Tools Software Development Kit must be removed from SQL Server if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82335V-67845CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select '<< Remove shared features only >>'; click Next. Note: all SQL Server 2014 instances will be affected by this action.)
+
+Select Client Tools Software Development Kit; click Next.
+
+Follow the remaining prompts, to remove the Client Tools Software Development Kit from SQL Server.If the Client Tools Software Development Kit is used and satisfies organizational requirements, this is not a finding.
+
+Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select '<< Remove shared features only >>'; click Next.
+
+If the list of shared features includes Client Tools SDK, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016850SQL Server must have the Management Tools software component removed if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+Management Tools is an indispensable software component on any server running the SQL Server DBMS, if the database administrator logs on to the Windows server to do his/her work. However, it is also possible to use the management tools on a separate machine and still connect to SQL Server. If this approach is used and DBAs never need to use the Management Tools directly on the server, then the Management Tools software component must be removed from the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82337V-67847CCI-000381Either using the Start menu or via the command "control.exe", open the Windows Control Panel. Open Programs and Features. Double-click on Microsoft SQL Server 2014. In the dialog box that appears, select Remove. Wait for the Remove wizard to appear.
+
+Select the relevant SQL Server instance; click Next.
+
+Select Management Tools - Basic and Management Tools - Complete; click Next.
+
+Follow the remaining prompts, to remove Management Tools from SQL Server.If the SQL Server Management Tools are used and satisfy organizational requirements, this is not a finding.
+
+In Windows Server 2008 R2 or lower, click on the Start button. In the Start menu, navigate to All Programs >> Microsoft SQL Server 2014.
+
+If the SQL Server Management Studio is listed, this is a finding.
+
+In Windows Server 2012 or higher, click on the Start button. In the Start menu, navigate to Apps >> Microsoft SQL Server 2014.
+
+If the SQL Server Management Studio is listed, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL4-00-016855SQL Server must have the Filestream feature disabled if it is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default or selected for installation by an administrator, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
+
+The Filestream feature must be disabled if it is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82339V-67849CCI-000381Either, in SQL Server Management Studio, Object Explorer, right-click on the SQL Server instance; select Properties; examine the Filestream section.
+
+If Filestream is not required, set Filestream Access Level to "Disabled."
+
+If Filestream is required only at the Transact-SQL query level, set Filestream Access Level to "Transact-SQL access enabled."
+
+Restart the SQL Server instance.
+
+Or, in a query tool, run this script, substituting the correct value for <Level>:
+ EXEC sys.sp_configure N'filestream access level', N'<Level>';
+ GO
+ RECONFIGURE WITH OVERRIDE;
+ GO
+
+The <Level> values are:
+0 - Disabled
+1 - Transact-SQL access enabled
+2 - Full access enabledDetermine whether Filestream is required to support the database(s) in this instance of SQL Server.
+
+Either, in SQL Server Management Studio, Object Explorer, right-click on the SQL Server instance; select Properties; examine the Filestream section.
+
+If Filestream Access Level is "Disabled", this is not a finding.
+
+If Filestream Access Level is "Transact-SQL access enabled" or "Full access enabled," and Filestream is not required, this is a finding.
+
+If Filestream Access Level is "Full access enabled," but only Transact-SQL access is required, this is a finding.
+
+Or, in a query tool, run this code:
+ EXEC sys.sp_configure N'filestream access level';
+
+Review the number in the config_value column. If it is 0, this is not a finding.
+
+If config_value is 1 or 2, and Filestream is not required, this is a finding.
+
+If config_value is 2, but only Transact-SQL access is required, this is a finding.SRG-APP-000141-DB-000092<GroupDescription></GroupDescription>SQL4-00-017000Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.<VulnDiscussion>SQL Server is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities.
+
+Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82341V-67851CCI-000381If any components or features of SQL Server are required for operation of applications that will be accessing SQL Server data or configuration, include them in the system documentation.
+
+If any unused components or features of SQL Server are installed and cannot be uninstalled or removed, then disable those components or features.Review the components and features included in SQL Server and capable of being disabled (by configuration settings, permissions and privileges, etc.). Take note of those which are enabled.
+
+Review the system documentation to verify that the enabled components or features are documented and authorized. If any enabled components or features are not authorized, this is a finding.SRG-APP-000141-DB-000092<GroupDescription></GroupDescription>SQL4-00-017100The SQL Server default account [sa] must be disabled.<VulnDiscussion>SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database.
+
+This [sa] default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server.
+
+If the [sa] default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the [sa] account.
+
+Some applications that run on SQL Server require the [sa] account to be enabled in order for the application to function properly. These applications that require the [sa] account to be enabled are usually legacy systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82343V-67853CCI-000381Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script. If the account name has been changed per SQL4-00-010200, replace the letters "sa" in the query with the new name.
+
+USE master;
+GO
+ALTER LOGIN [sa] DISABLE;
+GOCheck SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:
+
+USE master;
+GO
+SELECT name, is_disabled
+FROM sys.sql_logins
+WHERE principal_id = 1;
+GO
+
+Verify that the "name" column contains the current name of the [sa] database server account (see note).
+
+If the "is_disabled" column is not set to 1, this is a finding.
+
+Note: If the [sa] account name has been changed per SQL4-00-010200, its new name should appear in the query results.SRG-APP-000141-DB-000093<GroupDescription></GroupDescription>SQL4-00-017200Access to xp_cmdshell must be disabled, unless specifically required and approved.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.
+
+Applications must adhere to the principles of least functionality by providing only essential capabilities.
+
+DBMSs may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system.
+
+The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82347V-67857CCI-000381To disable the use of xp_cmdshell, from the query prompt:
+ EXEC sp_configure 'show advanced options', 1;
+ GO
+ RECONFIGURE;
+ GO
+ EXEC sp_configure 'xp_cmdshell', 0;
+ GO
+ RECONFIGURE;
+ GOTo determine if xp_cmdshell is enabled, execute the following commands:
+
+ EXEC SP_CONFIGURE 'show advanced options', '1';
+ RECONFIGURE WITH OVERRIDE;
+ EXEC SP_CONFIGURE 'xp_cmdshell';
+
+If the value of config_value is 0, this is not a finding.
+
+Review the system documentation to determine whether the use of xp_cmdshell is required and approved. If it is not approved, this is a finding.SRG-APP-000142-DB-000094<GroupDescription></GroupDescription>SQL4-00-017400SQL Server must be configured to prohibit or restrict the use of unauthorized network protocols.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component.
+
+To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
+
+Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and, through the database, to other components of the information system.
+
+For information on approved and prohibited ports, protocols, and services, see the Ports, Protocols, and Services Management (PPSM) section of DoD Cyber Exchange web site: https://public.cyber.mil/connect/ppsm/.
+
+"Functions" in this requirement refers to system and infrastructure functionality, not to functions in mathematics and programming languages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82349V-67859CCI-000382In SQL Server Configuration Manager, right-click on each listed protocol that is enabled but not authorized; select Disable.Open SQL Server Configuration Manager. Navigate to SQL Server Network Configuration > Protocols for <instance name>, where <instance name> is a placeholder for the SQL Server instance name.
+
+If any listed protocol is enabled but not authorized, this is a finding.SRG-APP-000142-DB-000094<GroupDescription></GroupDescription>SQL4-00-017410SQL Server must be configured to prohibit or restrict the use of unauthorized network ports.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component.
+
+To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
+
+Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and, through the database, to other components of the information system.
+
+For information on approved and prohibited ports, protocols, and services, see the Ports, Protocols, and Services Management (PPSM) section of DoD Cyber Exchange web site: https://public.cyber.mil/connect/ppsm/.
+
+"Functions" in this requirement refers to system and infrastructure functionality, not to functions in mathematics and programming languages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82351V-67861CCI-000382Change the ports used by SQL Server to comply with PPSM guidance, or document the need for other ports, and obtain written approval. Close ports no longer needed.Review the ports used by SQL Server.
+
+If these are in conflict with PPSM guidance, and not explained and approved in the system documentation, this is a finding.SRG-APP-000148-DB-000103<GroupDescription></GroupDescription>SQL4-00-018400SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To ensure accountability and prevent unauthorized SQL Server access, organizational users shall be identified and authenticated.
+
+Organizational users include organizational employees and individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
+
+Users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which must outline specific user actions that can be performed on SQL Server without identification or authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82353V-67863CCI-000764Remove user-accessible shared accounts and use individual userids.
+
+Build/configure applications to ensure successful individual authentication prior to shared account access.
+
+Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. (This does not include the case where SQL Server has a guest or public account that is providing access to publicly available information.)
+
+If accounts are determined to be shared, determine if individuals are first individually authenticated.
+
+If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding.
+
+If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.SRG-APP-000180-DB-000115<GroupDescription></GroupDescription>SQL4-00-018900SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).<VulnDiscussion>Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
+
+Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.
+
+This may be accomplished by a code embedded within the userid, or via a flag or code column in a table of users, or by some other means. In any case, the user must be individually identified to, and within, SQL Server via a mapping to an individual account and not mapping to a shared account.
+
+Accordingly, a risk assessment is used in determining the authentication needs of the organization.
+
+Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, and other organizations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82363V-67873CCI-000804Configure SQL Server to uniquely identify and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts.Review documentation, SQL Server settings and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.
+
+If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.
+
+If non-organizational users are not uniquely identified and authenticated, this is a finding.SRG-APP-000211-DB-000122<GroupDescription></GroupDescription>SQL4-00-020500SQL Server must be configured to separate user functionality (including user interface services) from database management functionality.<VulnDiscussion>Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access.
+
+The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate.
+
+An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources.
+
+This may include isolating the administrative interface on a different domain and with additional access controls.
+
+If administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may be inadvertently made available to the user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82365V-67875CCI-001082Establish one or more locally-defined server roles and one or more locally-defined database roles for organizing administrative permissions. Grant administrative permissions to these roles. Assign the appropriate administrative users to these roles. Do not grant the roles and permissions to general users.Check SQL Server permission settings to verify that administrative functionality is kept separate from user functionality. The views and functions provided in the supplemental file Permissions.sql can help with this review.
+
+If administrator and general user functionality are not separated either physically or logically, this is a finding.SRG-APP-000233-DB-000124<GroupDescription></GroupDescription>SQL4-00-021500SQL Server must isolate security functions from nonsecurity functions.<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
+
+Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based".
+
+Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.
+
+Database Management Systems typically separate security functionality from nonsecurity functionality via separate databases or schemas. SQL Server's [master] database and [sys] schema are examples of this. Further granularity of access protection is provided by assigning logins and users to appropriate server roles and database roles
+
+Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and nonsecurity functionality is commingled, users who have access to nonsecurity functionality may be able to access security functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82369V-67879CCI-001084Where possible, locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.
+
+In all cases, use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on server-level and database-level security-related objects to provide effective isolation.Determine application-specific security objects (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server in addition to the built-in security objects.
+
+Review permissions, both direct and indirect, on the security objects, both built-in and application-specific. The functions and views provided in the supplemental file Permissions.sql can help with this.
+
+If the database(s), schema(s) and permissions on security objects are not organized to provide effective isolation of security functions from nonsecurity functions, this is a finding.SRG-APP-000080-DB-000063<GroupDescription></GroupDescription>SQL4-00-023700SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.<VulnDiscussion>Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
+
+Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.
+
+Use of shared accounts does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users (as in connection pooling).
+
+When shared accounts are utilized without another means of identifying individual users, users may deny having performed a particular action.
+
+(Shared accounts should not be confused with Windows groups, which are used in role-based access control.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82253V-67763CCI-000166Remove user-accessible shared accounts and use individual userids.
+
+Build/configure applications to ensure successful individual authentication prior to shared account access.
+
+Ensure each user's identity is received and used in audit data in all relevant circumstances.
+
+Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.Obtain the list of authorized SQL Server accounts in the system documentation.
+
+If accounts are determined to be shared, determine if individuals are first individually authenticated.
+
+If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding.
+
+The key is individual accountability. If this can be traced, this is not a finding.
+
+If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.
+
+Review contents of audit logs, traces and data tables to confirm that the identity of the individual user performing the action is captured.
+
+If shared identifiers are found, and not accompanied by individual identifiers, this is a finding.
+
+Note: Privileged installation accounts may be required to be accessed by the DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL4-00-024500The Service Master Key must be backed up, stored offline and off-site.<VulnDiscussion>Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-81877V-67387CCI-001199Document and implement procedures to safely back up and store the Service Master Key. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Service Master Key. Also, include provisions to store the key off-site.
+
+BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file'
+ENCRYPTION BY PASSWORD = 'password';
+
+As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.Review procedures for, and evidence of backup of, the SQL Server Service Master Key in the System Security Plan.
+
+If the procedures or evidence do not exist, this is a finding.
+
+If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding.
+
+If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.SRG-APP-000023-DB-000001<GroupDescription></GroupDescription>SQL4-00-030300SQL Server authentication and identity management must be integrated with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.<VulnDiscussion>Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.
+
+A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed.
+
+Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.
+
+Account management and authentication in a Windows environment normally use an LDAP-compatible directory service, usually Windows Active Directory. This in turn, in the DoD environment, is typically integrated with the Public Key Infrastructure (PKI). Additional technologies or products may be employed that when placed together constitute an overall mechanism supporting an organization's automated account management requirements. An example is the use of Group Policy Objects to enforce rules concerning passwords.
+
+SQL Server must be configured to use Windows authentication, with SQL Server authentication disabled. If circumstances (such as the architecture of a purchased application) make it necessary to have SQL Server authentication available, its use must be kept to a minimum. The reasons for its use, and the measures taken to restrict it to only the necessary cases, must be documented, with AO approval.
+
+It is assumed throughout this STIG that this integration has been implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82249V-67759CCI-000015If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; obtain official approval.
+
+If mixed mode is not required, disable it as follows:
+
+In the SSMS Object Explorer, right-click on the server instance; select Properties. Select the Security page. Click on the radio button for Windows Authentication Mode. Click on "OK." Restart the SQL Server instance.
+
+Alternatively, run the statement:
+EXEC xp_instance_regwrite
+ N'HKEY_LOCAL_MACHINE',
+ N'Software\Microsoft\MSSQLServer\MSSQLServer',
+ N'LoginMode',
+ REG_DWORD,
+ 1;
+Restart the SQL Server instance.
+
+For each account being managed by SQL Server but not requiring it, drop or disable the SQL Login. Replace it with an appropriately configured account, as needed.
+
+To drop or disable a Login in the SSMS Object Explorer:
+Navigate to <server name> >> Security >> Logins.
+Right-click on the Login name; click on Delete or Disable.
+
+To drop or disable a Login by using a query:
+USE master;
+DROP LOGIN <login name>;
+ALTER LOGIN <login name> DISABLE;
+
+Dropping a Login does not delete the equivalent database User(s). There may be more than one database containing a User mapped to the Login. Drop the User(s) unless still needed..
+
+To drop a User in the SSMS Object Explorer:
+Navigate to <server name> >> Databases >> <database name> >> Security >> Users.
+Right-click on the User name; click on Delete.
+
+To drop a User via a query:
+USE <database name>;
+DROP USER <user name>;Determine whether SQL Server is configured to use only Windows authentication.
+
+In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance; select Properties. Select the Security page.
+
+If Windows Authentication Mode is selected, this is not a finding.
+
+Alternatively, in a query interface such as the SSMS Transact-SQL editor, run the statement:
+EXECUTE xp_instance_regread
+ N'HKEY_LOCAL_MACHINE',
+ N'Software\Microsoft\MSSQLServer\MSSQLServer',
+ N'LoginMode';
+
+If the returned value in the "Data" column is 1, this is not a finding.
+
+Mixed mode (both SQL Server authentication and Windows authentication) is in use.
+
+If the need for mixed mode has not been documented and approved, this is a finding.
+
+From the documentation, obtain the list of accounts authorized to be managed by SQL Server.
+
+Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement:
+SELECT
+ name
+FROM
+ sys.sql_logins
+WHERE
+ type_desc = 'SQL_LOGIN'
+ AND is_disabled = 0;
+
+If any accounts listed by the query are not listed in the documentation, this is a finding.SRG-APP-000091-DB-000325<GroupDescription></GroupDescription>SQL4-00-030410Where SQL Server Audit is in use, SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.<VulnDiscussion>Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.
+
+This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+This requirement applies to SQL Server Audit-based audit trails; Trace does not have this capability.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to the system views (and all other schema-scoped objects). The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82261V-67771CCI-000172Design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf SQL Server Trace is in use for audit purposes, and SQL Server Audit is not in use, this is not a finding.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT actions on the permissions-related system views, and any locally-defined permissions tables, are being audited:
+
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000109-DB-000321<GroupDescription></GroupDescription>SQL4-00-030600Where availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.<VulnDiscussion>It is critical that when SQL Server is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
+
+When availability is an overriding concern, approved actions in response to an audit failure are as follows:
+
+(i) If the failure was caused by the lack of audit record storage capacity, the DBMS must continue generating audit records, if possible (automatically restarting the audit service if necessary), preferably overwriting the oldest audit records in a first-in-first-out manner.
+
+(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the DBMS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
+
+Systems where availability is paramount will most likely be MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid audit data loss in all but the most extreme situations.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
+
+However, although Trace supports FIFO rollover, SQL Server Audit does not: its CONTINUE option stops the production of new audit records when there is an audit failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82277V-67787CCI-000140If SQL Server Audit is in use, configure SQL Server Audit to continue to generate audit records, overwriting the oldest existing records, in the case of an auditing failure.
+
+Run this T-SQL script for each identified audit:
+
+ALTER SERVER AUDIT [AuditName] WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT [AuditName] to file (max_rollover_files = IntegerValue);
+GO
+ALTER SERVER AUDIT [AuditName] WITH (STATE = ON);
+GOIf the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Audit is in use, review the defined server audits by running the statement:
+
+SELECT [name], [max_rollover_files] FROM sys.server_file_audits
+WHERE is_state_enabled = 1;
+
+By observing the [name] and [max_rollover_files] columns, identify the row or rows in use.
+
+If the [max_rollover_files] is greater than zero, this is not a finding. Otherwise, this is a finding.SRG-APP-000133-DB-000362<GroupDescription></GroupDescription>SQL4-00-030700The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users.<VulnDiscussion>If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
+
+Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82305V-67815CCI-001499Revoke unauthorized memberships in the group(s)/role(s) designated for DBMS and database modification.
+
+Syntax examples:
+
+ALTER ROLE Power DROP MEMBER JenUser; -- the member is a database role or database user.
+ALTER SERVER ROLE GreatPower DROP MEMBER Irresponsibility; -- the member is a server role or login.Using the system security plan, identify the group(s)/role(s) established for SQL Server DBMS and database modification, and the individuals authorized to modify the DBMS and database(s). If helpful, the views STIG.server_permissions and STIG.database_permissions, provided in the supplemental file Permissions.sql, can be used to search for the relevant roles: look for Permission values containing "Alter," "Create," "Control," etc.
+
+Obtain the list of users in those group(s)/roles. The provided functions STIG.members_of_db_role() and STIG.members_of_server_role(), can be used for this.
+
+If unauthorized access to the group(s)/role(s) has been granted, this is a finding.SRG-APP-000179-DB-000114<GroupDescription></GroupDescription>SQL4-00-031100SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.<VulnDiscussion>Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of SQL Server.
+
+Applications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+Operations that require the use of cryptography include the provisioning of digital signatures, the generation and validation of cryptographic hashes, and the protection of data by storing and transmitting it in encrypted form.
+
+NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules.
+
+The standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication.
+
+FIPS 140-2 modules can remain active for up to five years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page:
+https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
+
+More information on the FIPS 140-3 transition can be found here:
+https://csrc.nist.gov/Projects/fips-140-3-transition-effort/</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82361V-67871CCI-000803CCI-002450In Windows, open Administrative Tools >> Local Security Policy. Expand Local Policies >> Security Options. In the right-side pane, double-click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing".
+
+In the dialog box that appears, if the radio buttons are active, click Enabled, and then click Apply. If the radio buttons are grayed out, use Group Policy Management (on the appropriate server for this domain) to enforce the Enabled policy, and deploy it to the server(s) running SQL Server.In Windows, open Administrative Tools >> Local Security Policy. Expand Local Policies >> Security Options. In the right-side pane, find "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing".
+
+If, in the Security Setting column, the value is "Disabled," this is a finding.SRG-APP-000243-DB-000374<GroupDescription></GroupDescription>SQL4-00-031400Access to database files must be limited to relevant processes and to authorized, administrative users.<VulnDiscussion>Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82371V-67881CCI-001090Configure the permissions granted by the operating system/file system on the database files, database transaction log files, database audit log files, and database backup files so that only relevant system accounts and authorized system administrators and database administrators with a need to know are permitted to read/view these files.Review the permissions granted to users by the operating system/file system on the database files, database transaction log files, database audit log files, and database backup files.
+
+If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding.SRG-APP-000295-DB-000305<GroupDescription></GroupDescription>SQL4-00-031700SQL Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.<VulnDiscussion>This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.
+
+Session termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated.
+
+Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
+
+This capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82373V-67883CCI-002361Configure SQL Server, Windows and/or third-party tools to automatically terminate a user session after organization-defined conditions or trigger events requiring session termination.Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination.
+
+If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.
+
+If the documentation requires automatic session termination, but SQL Server and Windows (or third-party tools) are not configured accordingly, this is a finding.SRG-APP-000340-DB-000304<GroupDescription></GroupDescription>SQL4-00-032500SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+System documentation should include a definition of the functionality considered privileged.
+
+Depending on circumstances, privileged functions can include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
+
+A privileged function in the DBMS/database context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In SQL Server, it encompasses, but is not necessarily limited to:
+CREATE
+ALTER
+DROP
+GRANT
+REVOKE
+DENY
+
+There may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples include:
+
+TRUNCATE TABLE;
+DELETE, or
+DELETE affecting more than n rows, for some n, or
+DELETE without a WHERE clause;
+
+UPDATE or
+UPDATE affecting more than n rows, for some n, or
+UPDATE without a WHERE clause;
+
+any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.
+
+Depending on the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82375V-67885CCI-002235Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to align EXECUTE permissions (and any other relevant permissions) with documented requirements.Review the system documentation to obtain the definition of the SQL Server database/DBMS functionality considered privileged in the context of the system in question.
+
+Review the SQL Server security configuration and/or other means used to protect privileged functionality from unauthorized use.
+
+If the configuration does not protect all of the actions defined as privileged, this is a finding.
+
+The database permission functions and views provided in the supplemental file Permissions.sql can help with this.SRG-APP-000342-DB-000302<GroupDescription></GroupDescription>SQL4-00-032600Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.<VulnDiscussion>In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.
+
+Privilege elevation must be utilized only where necessary and protected from misuse.
+
+This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82377V-67887CCI-002233Determine where, when, how, and by what principals/subjects elevated privilege is needed.
+
+Modify documentation as necessary to align it with the actual need for privilege elevation.
+
+Modify the database and DBMS security configuration, stored procedures, functions, and triggers, external modules invoked by the DBMS, and the application(s) using the database, so that privilege elevation is used only as required.Review the system documentation, SQL Server instance and database security configuration, source code for stored procedures, functions, and triggers, source code of external modules invoked by the DBMS, and source code of the application(s) using the database.
+
+If elevation of DBMS privileges is utilized but not documented, this is a finding.
+
+If elevation of DBMS privileges is documented, but not implemented as described in the documentation, this is a finding.
+
+If the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.SRG-APP-000356-DB-000314<GroupDescription></GroupDescription>SQL4-00-032800SQL Server must utilize centralized management of the content captured in audit records generated by all components of the DBMS.<VulnDiscussion>Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.
+
+The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.
+
+SQL Server may write audit records to files in the file system, to other kinds of local repository, or directly to a centralized log management system. (If the Trace facility is used for auditing - this is no longer recommended, but may be in place for legacy reasons - a trace table is another possible destination.) Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82379V-67889CCI-001844Configure and/or deploy software tools to ensure that SQL Server audit records (to include traces used for audit purposes) are written directly to or systematically transferred to a centralized log management system.Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.
+
+If the SQL Server audit records (to include traces used for audit purposes) are not written directly to or systematically transferred to a centralized log management system, this is a finding.SRG-APP-000357-DB-000316<GroupDescription></GroupDescription>SQL4-00-033000SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism.
+
+In determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the ability to reuse the space formerly occupied by off-loaded records.
+
+As noted elsewhere in this document, SQL Server's Audit and/or Trace features can be used for auditing purposes. This requirement applies to both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991V-67891SV-82381CCI-001849Allocate sufficient audit storage space to support peak demand.Investigate whether there have been any incidents where the system ran out of audit log space (to include traces used for audit purposes) since the last time the space was allocated or other corrective measures were taken.
+
+If there have been, this is a finding.SRG-APP-000359-DB-000319<GroupDescription></GroupDescription>SQL4-00-033400SQL Server, the operating system, or the storage system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.<VulnDiscussion>Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to SQL Server on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.
+
+As noted elsewhere in this document, SQL Server's Audit and/or Trace features can be used for auditing purposes. This requirement applies to both.
+
+If support personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.
+
+The monitoring and alerting may be done at the database level, the operating system level, or by specialized monitoring tools.
+
+The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82383V-67893CCI-001855Configure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75%.Review system configuration.
+
+If appropriate support staff are not notified immediately upon storage volume utilization reaching 75%, this is a finding.SRG-APP-000360-DB-000320<GroupDescription></GroupDescription>SQL4-00-033500SQL Server or software monitoring SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+As noted elsewhere in this document, SQL Server's Audit and/or Trace features can be used for auditing purposes. This requirement applies to both.
+
+The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.
+
+A failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions
+
+Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82385V-67895CCI-001858Configure the system to provide immediate real-time alerts to appropriate support staff when an audit log failure occurs.Review SQL Server settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.
+
+If real-time alerts are not sent upon auditing failure, this is a finding.SRG-APP-000374-DB-000322<GroupDescription></GroupDescription>SQL4-00-033600SQL Server must produce time stamps that can be mapped to Coordinated Universal Time (UTC, formerly GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis, in audit files, trace files/tables, and application data tables.
+
+Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SQL Server obtains the date and time from the Windows operating system. In a normal configuration, the OS obtains them from an official time server, using Network Time Protocol (NTP). The ultimate source is the United States Naval Observatory Master Clock.
+
+SQL Server built-in functions for retrieving current timestamps are: (high precision) sysdatetime(), sysdatetimeoffset(), sysutcdatetime(); (lower precision) CURRENT_TIMESTAMP or getdate(), getutcdate().
+
+Provided the operating system is synchronized with an official time server, these timestamp-retrieval functions are automatically compliant with this requirement, as are SQL Server's audit and trace capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82387V-67897CCI-001890Where possible, configure the operating system to automatic synchronize with an official time server, using NTP.
+
+Where there is reason not to implement automatic synchronization with an official time server, using NTP, document the reason, and the procedure for maintaining the correct time, and obtain AO approval. Enforce the procedure.Verify that the Windows operating system is configured to synchronize with an official time server, using Network Time Protocol (NTP).
+
+If it is not, and this is not documented, with justification and AO authorization, this is a finding.
+
+If the OS does not synchronize with a time server, review the procedure for maintaining accurate time on the system.
+
+If such a procedure does not exist, this is a finding.
+
+If the procedure exists, review evidence that the correct time is actually maintained.
+
+If the evidence indicates otherwise, this is a finding.SRG-APP-000378-DB-000365<GroupDescription></GroupDescription>SQL4-00-033800SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.<VulnDiscussion>Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.
+
+The nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.
+
+SQL Server must control software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization).
+
+In the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82389V-67899CCI-001812Document and obtain approval for any non-administrative users who require the ability to create, alter or replace logic modules.
+
+Implement the approved permissions. Revoke (or Deny) any unapproved permissions, and remove any unauthorized role memberships.If the SQL Server instance supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.
+
+Review the SQL Server instance and database security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. The database permission functions and views provided in the supplemental file Permissions.sql can help with this.
+
+If any such permissions exist and are not documented and approved, this is a finding.SRG-APP-000380-DB-000360<GroupDescription></GroupDescription>SQL4-00-033900SQL Server and Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s).<VulnDiscussion>Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.
+
+When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system.
+
+Accordingly, SQL Server and Windows must allow only qualified and authorized individuals to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82391V-67901CCI-001813Configure SQL Server to enforce access restrictions associated with changes to the configuration of the SQL Server instance and database(s).Review the security configuration of the SQL Server instance and database(s).
+
+If unauthorized Windows users can start the SQL Server Configuration Manager or SQL Server Management Studio, this is a finding.
+
+If SQL Server does not enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s), this is a finding.
+
+- - - - -
+
+To assist in conducting reviews of permissions, the following views and permissions are defined in the supplemental file Permissions.sql, provided with this STIG:
+database_permissions
+database_role_members
+server_permissions
+server_role_members
+database_effective_permissions('<database user/role name>')
+database_roles_of('<database user/role name>')
+members_of_db_role('<database role name>')
+members_of_server_role('<server role name>')
+server_effective_permissions('<server login/role name>')
+server_roles_of('<server login/role name>')
+
+Permissions of concern in this respect include the following, and possibly others:
+- any server permission except CONNECT SQL, but including CONNECT ANY DATABASE
+- any database permission beginning with "CREATE" or "ALTER"
+- CONTROL
+- INSERT, UPDATE, DELETE, EXECUTE on locally-defined tables and procedures designed for supplemental configuration and security purposes.SRG-APP-000381-DB-000361<GroupDescription></GroupDescription>SQL4-00-034000SQL Server must produce Trace or Audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).<VulnDiscussion>Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions.
+
+Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82393V-67903CCI-001814Design and deploy a SQL Server Audit or Trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to create a trace.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name>
+ ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),
+ ADD (AUDIT_CHANGE_GROUP),
+ ADD (BACKUP_RESTORE_GROUP),
+ ADD (DATABASE_CHANGE_GROUP),
+ ADD (DATABASE_OBJECT_ACCESS_GROUP),
+ ADD (DATABASE_OBJECT_CHANGE_GROUP),
+ ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_OPERATION_GROUP),
+ ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
+ ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP),
+ ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
+ ADD (DBCC_GROUP),
+ ADD (LOGIN_CHANGE_PASSWORD_GROUP),
+ ADD (SCHEMA_OBJECT_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_OPERATION_GROUP),
+ ADD (SERVER_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP),
+ ADD (SERVER_STATE_CHANGE_GROUP),
+ ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
+ ADD (TRACE_CHANGE_GROUP)
+;
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+102 -- Audit Statement GDR Event
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+106 -- Audit Login Change Property Event
+107 -- Audit Login Change Password Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+112 -- Audit App Role Change Password Event
+113 -- Audit Statement Permission Event
+115 -- Audit Backup/Restore Event
+116 -- Audit DBCC Event
+117 -- Audit Change Audit Event
+118 -- Audit Object Derived Permission Event
+128 -- Audit Database Management Event
+129 -- Audit Database Object Management Event
+130 -- Audit Database Principal Management Event
+131 -- Audit Schema Object Management Event
+132 -- Audit Server Principal Impersonation Event
+133 -- Audit Database Principal Impersonation Event
+134 -- Audit Server Object Take Ownership Event
+135 -- Audit Database Object Take Ownership Event
+152 -- Audit Change Database Owner
+153 -- Audit Schema Object Take Ownership Event
+162 -- User error message
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+175 -- Audit Server Alter Trace Event
+176 -- Audit Server Object Management Event
+177 -- Audit Server Principal Management Event
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all configuration-related actions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name IN
+(
+'APPLICATION_ROLE_CHANGE_PASSWORD_GROUP',
+'AUDIT_CHANGE_GROUP',
+'BACKUP_RESTORE_GROUP',
+'DATABASE_CHANGE_GROUP',
+'DATABASE_OBJECT_ACCESS_GROUP',
+'DATABASE_OBJECT_CHANGE_GROUP',
+'DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_OBJECT_PERMISSION_CHANGE_GROUP',
+'DATABASE_OPERATION_GROUP',
+'DATABASE_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_PERMISSION_CHANGE_GROUP',
+'DATABASE_PRINCIPAL_CHANGE_GROUP',
+'DATABASE_PRINCIPAL_IMPERSONATION_GROUP',
+'DATABASE_ROLE_MEMBER_CHANGE_GROUP',
+'DBCC_GROUP',
+'LOGIN_CHANGE_PASSWORD_GROUP',
+'SCHEMA_OBJECT_CHANGE_GROUP',
+'SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OBJECT_CHANGE_GROUP',
+'SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SERVER_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OPERATION_GROUP',
+'SERVER_PERMISSION_CHANGE_GROUP',
+'SERVER_PRINCIPAL_IMPERSONATION_GROUP',
+'SERVER_ROLE_MEMBER_CHANGE_GROUP',
+'SERVER_STATE_CHANGE_GROUP',
+'TRACE_CHANGE_GROUP'
+);
+GO
+
+Examine the list produced by the query.
+
+If any of the audit action groups specified in the WHERE clause are not included in the list, this is a finding.
+
+If the audited_result column is not "SUCCESS AND FAILURE" on every row, this is a finding.SRG-APP-000383-DB-000364<GroupDescription></GroupDescription>SQL4-00-034200SQL Server must disable communication protocols not required for operation.<VulnDiscussion>Having unnecessary protocols enabled exposes the system to avoidable threats. In a typical installation, only TCP/IP will be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82395V-67905CCI-001762In SQL Server Configuration Manager, right-click on each enabled protocol that is not required. Select Disabled.
+
+Close SQL Server Configuration Manager. Restart SQL Server.Review the system security plan to determine the communication protocols used by the SQL Server instance.
+
+Open SQL Server Configuration Manager from the Windows Start menu or by entering "SQLServerManager12.msc" in a Command Prompt window or in the Run dialog box. Select SQL Server Network Configuration >> Protocols for <instance name>. Review the list of protocols.
+
+If any that are not required are shown as enabled, this is a finding.SRG-APP-000429-DB-000387<GroupDescription></GroupDescription>SQL4-00-034800SQL Server must implement and/or support cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.<VulnDiscussion>DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.
+
+Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
+
+The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82397V-67907CCI-002476Where full-disk encryption is required, configure Windows and/or the storage system to provide this.
+
+Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE".
+
+Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data".Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
+
+If no information is identified as requiring such protection, this is not a finding.
+
+Review the configuration of SQL Server, Windows, and additional software as relevant.
+
+If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding.
+
+If database transparent data encryption (TDE) is called for, check whether it is enabled:
+In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter.
+
+If the value displayed is False, this is a finding.
+
+If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns.
+
+If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding.SRG-APP-000441-DB-000378<GroupDescription></GroupDescription>SQL4-00-035000The confidentiality and integrity of information managed by SQL Server must be maintained during preparation for transmission.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
+
+Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
+
+When transmitting data, SQL Server, associated applications, and infrastructure must leverage transmission protection mechanisms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82399V-67909CCI-002420Implement protective measures against unauthorized disclosure and modification during preparation for transmission.If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
+
+If SQL Server, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during preparation for transmission, this is a finding.SRG-APP-000442-DB-000379<GroupDescription></GroupDescription>SQL4-00-035100The confidentiality and integrity of information managed by SQL Server must be maintained during reception.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
+
+This requirement applies only to those applications that are either distributed or can allow access to data nonlocally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
+
+When receiving data, SQL Server, associated applications, and infrastructure must leverage protection mechanisms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82401V-67911CCI-002422Implement protective measures against unauthorized disclosure and modification during reception.If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
+
+If SQL Server, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during reception, this is a finding.SRG-APP-000456-DB-000390<GroupDescription></GroupDescription>SQL4-00-035400Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).<VulnDiscussion>Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82403V-67913CCI-002605Institute and adhere to policies and procedures to ensure that patches are consistently applied to SQL Server within the time allowed.Obtain evidence that software patches are consistently applied to SQL Server within the time frame defined for each patch.
+
+If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.SRG-APP-000456-DB-000390<GroupDescription></GroupDescription>SQL4-00-035500Software updates to SQL Server must be tested before being applied to production systems.<VulnDiscussion>While it is important to apply SQL Server updates in a timely manner, it is also incumbent upon the database administrator and/or system administrator to ensure that their deployment will not interfere with the operation of the database and its applications. Other than in emergency situations, SQL Server updates must be applied to appropriately configured non-production systems, and the resulting version of SQL Server assessed for correct operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82405V-67915CCI-002605Institute and adhere to policies and procedures to ensure that SQL Server updates are tested prior to installation on production servers.Obtain evidence that SQL Server software updates are tested before being applied to production servers, and that any exceptions are approved by the ISSM.
+
+If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.SRG-APP-000492-DB-000332<GroupDescription></GroupDescription>SQL4-00-035600SQL Server must produce Trace or Audit records when security objects are accessed.<VulnDiscussion>Changes to the security configuration must be tracked.
+
+This requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via SQL Server's built-in security functionality (GRANT, REVOKE, DENY, ALTER [SERVER] ROLE ... ADD/DROP MEMBER ..., etc.).
+
+In SQL Server, types of access include, but are not necessarily limited to:
+SELECT
+INSERT
+UPDATE
+DELETE
+EXECUTE
+
+Since the system views are read-only, and the underlying tables are kept hidden by SQL Server, the Insert, Update and Delete cases are relevant only where the database includes user-defined tables to support additional security functionality.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016. Note also that Trace does not support auditing of SELECT statements, whereas Audit does.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82407V-67917CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event on each table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf there are no locally-defined security tables, functions, or procedures, this is not applicable.
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables that require tracking of Insert-Update-Delete operations.
+
+If SQL Server Trace is in use for audit purposes, review these tables for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (at least one of these; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on locally-defined permissions tables, and EXECUTE actions on locally-defined permissions functions and procedures, are being audited:
+
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000492-DB-000333<GroupDescription></GroupDescription>SQL4-00-035700SQL Server must produce Trace or Audit records when unsuccessful attempts to access security objects occur.<VulnDiscussion>Changes to the security configuration must be tracked. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+This requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via SQL Server's built-in security functionality (GRANT, REVOKE, DENY, ALTER [SERVER] ROLE ... ADD/DROP MEMBER ..., etc.).
+
+In SQL Server, types of access include, but are not necessarily limited to:
+SELECT
+INSERT
+UPDATE
+DELETE
+EXECUTE
+
+Since the system views are read-only, and the underlying tables are kept hidden by SQL Server, the Insert, Update and Delete cases are relevant only where the database includes user-defined tables to support additional security functionality.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016. Note also that Trace does not support auditing of SELECT statements, whereas Audit does.
+
+Use of SQL Server Audit's SCHEMA_OBJECT_ACCESS_GROUP causes capture of all accesses, successful and otherwise, to all schema-scoped objects. The [Succeeded] column in the audit output indicates the success or failure of the attempted action. Be aware, however, that it may report True in some cases where one would intuitively expect False. For example, SELECT 1/0 FROM SYS.ALL_OBJECTS will appear in the audit trail as successful, if the user has permission to perform that action, even though it contains an invalid expression. Some other actions that one would consider failures (such as selecting from a table that does not exist) may not appear at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82409V-67919CCI-000172Where SQL Server Trace is in use, create triggers to raise a custom event on each table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add a block of code to the supplemental file Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using Extended Events and/or triggers.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf there are no locally-defined security tables, functions, or procedures, this is not applicable (NA).
+
+If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables that require tracking of Insert-Update-Delete operations.
+
+If SQL Server Trace is in use for audit purposes, review these tables for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+Check to see that all required event classes are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (at least one of these; 90 is used in the supplied script)
+162 -- User error message
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the broad, server-level audit action group SCHEMA_OBJECT_ACCESS_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all SELECT, INSERT, UPDATE, and DELETE actions on locally-defined permissions tables, and EXECUTE actions on locally-defined permissions functions and procedures, are being audited:
+
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP';
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE", this is a finding.SRG-APP-000495-DB-000326<GroupDescription></GroupDescription>SQL4-00-036000SQL Server must generate Trace or Audit records when privileges/permissions are added.<VulnDiscussion>Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.
+
+In SQL Server, adding permissions is typically done via the GRANT command, or, in the negative, DENY; or with the ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . commands. Native SQL Server security functionality may be supplemented with application-specific tables and logic, in which case the following actions on these tables and procedures/triggers/functions are also relevant:
+INSERT
+UPDATE (in cases where more than one permission can be represented in a single row)
+EXECUTE
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82411V-67921CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name>
+ ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)
+;
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables, procedures and functions (if any) that require tracking.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (required only where there are locally-defined security tables or procedures)
+102 -- Audit Database Scope GDR
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+162 -- User error message
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+177 -- Audit Server Principal Management Event
+
+Review the locally-defined security tables (if any) for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all GRANT, ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . actions, all INSERT and UPDATE actions on any locally-defined permissions tables, and all EXECUTE actions on any system or locally-defined permissions-related procedures and functions, are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name IN
+(
+'DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_OBJECT_PERMISSION_CHANGE_GROUP',
+'DATABASE_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_PERMISSION_CHANGE_GROUP',
+'DATABASE_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SERVER_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_PERMISSION_CHANGE_GROUP',
+'SERVER_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_ACCESS_GROUP'
+);
+GO
+
+Examine the list produced by the query.
+
+If any locally-defined permissions tables, procedures, or functions exist, and the list does not include the audit action group SCHEMA_OBJECT_ACCESS_GROUP, this is a finding.
+
+If any of the other audit action groups specified in the WHERE clause are not included in the list, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE" on every row, this is a finding.SRG-APP-000495-DB-000327<GroupDescription></GroupDescription>SQL4-00-036100SQL Server must generate Trace or Audit records when unsuccessful attempts to add privileges/permissions occur.<VulnDiscussion>Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.
+
+In SQL Server, adding permissions is typically done via the GRANT command, or, in the negative, DENY; or with the ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . commands. Native security functionality may be supplemented with application-specific tables and logic, in which case the following actions on these tables and procedures/triggers/functions are also relevant:
+INSERT
+UPDATE
+EXECUTE
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82413V-67923CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers. Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name>
+ ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
+ ADD (DATABASE_PERMISSION_CHANGE_GROUP),
+ ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_PERMISSION_CHANGE_GROUP),
+ ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)
+;
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables, procedures and functions (if any) that require tracking.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (required only where there are locally-defined security tables or procedures)
+102 -- Audit Database Scope GDR
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+162 -- User error message
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+177 -- Audit Server Principal Management Event
+
+Review the locally-defined security tables (if any) for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all GRANT, ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . actions, all INSERT and UPDATE actions on any locally-defined permissions tables, and all EXECUTE actions on any system or locally-defined permissions-related procedures and functions, are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name IN
+(
+'DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_OBJECT_PERMISSION_CHANGE_GROUP',
+'DATABASE_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_PERMISSION_CHANGE_GROUP',
+'DATABASE_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SERVER_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_PERMISSION_CHANGE_GROUP',
+'SERVER_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_ACCESS_GROUP'
+);
+GO
+
+Examine the list produced by the query.
+
+If any locally-defined permissions tables, procedures, or functions exist, and the list does not include the audit action group SCHEMA_OBJECT_ACCESS_GROUP, this is a finding.
+
+If any of the other audit action groups specified in the WHERE clause are not included in the list, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE" on every row, this is a finding.SRG-APP-000499-DB-000330<GroupDescription></GroupDescription>SQL4-00-036900SQL Server must generate Trace or Audit records when privileges/permissions are deleted.<VulnDiscussion>Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.
+
+In SQL Server, deleting permissions is typically done via the REVOKE or DENY command; or with the ALTER SERVER ROLE . . . DROP MEMBER . . . and/or ALTER ROLE . . . DROP MEMBER . . . statements. However, native SQL Server security functionality may be supplemented with application-specific tables and logic, in which case the following actions on these tables and procedures/triggers/functions are also relevant:
+DELETE
+EXECUTE
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82415V-67925CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables (if any) that require tracking of Insert-Update-Delete operations.
+
+If SQL Server Trace is in use for audit purposes, review these tables for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+Check to see that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (required only where there are locally-defined security tables or procedures)
+102 -- Audit Database Scope GDR
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+162 -- User error message
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+177 -- Audit Server Principal Management Event
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all GRANT, ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . actions, all INSERT and UPDATE actions on any locally-defined permissions tables, and all EXECUTE actions on any system or locally-defined permissions-related procedures and functions, are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name IN
+(
+'DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_OBJECT_PERMISSION_CHANGE_GROUP',
+'DATABASE_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_PERMISSION_CHANGE_GROUP',
+'DATABASE_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SERVER_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_PERMISSION_CHANGE_GROUP',
+'SERVER_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_ACCESS_GROUP'
+);
+GO
+
+Examine the list produced by the query.
+
+If any locally-defined permissions tables, procedures, or functions exist, and the list does not include the audit action group SCHEMA_OBJECT_ACCESS_GROUP, this is a finding.
+
+If any of the other audit action groups specified in the WHERE clause are not included in the list, this is a finding.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE" on every row, this is a finding.SRG-APP-000499-DB-000331<GroupDescription></GroupDescription>SQL4-00-037000SQL Server must generate Trace or Audit records when unsuccessful attempts to delete privileges/permissions occur.<VulnDiscussion>Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.
+
+In SQL Server, deleting permissions is typically done via the REVOKE or DENY command; or with the ALTER SERVER ROLE . . . DROP MEMBER . . . and/or ALTER ROLE . . . DROP MEMBER . . . statements.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82417V-67927CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Add blocks of code to Trace.sql for each custom event class (integers in the range 82-91; the same event class may be used for all such triggers) used in these triggers.
+
+Create triggers to raise a custom event on each locally-defined security table that requires tracking of Insert-Update-Delete operations. The examples provided in the supplemental file CustomTraceEvents.sql can serve as the basis for these.
+
+Execute Trace.sql
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SCHEMA_OBJECT_ACCESS_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+Obtain the list of locally-defined security tables (if any) that require tracking of Insert-Update-Delete operations.
+
+If SQL Server Trace is in use for audit purposes, review these tables for the existence of triggers to raise a custom event on each Insert-Update-Delete operation.
+
+If such triggers are not present, this is a finding.
+
+Check to see that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+42 -- SP:Starting
+43 -- SP:Completed
+82-91 -- User-defined Event (required only where there are locally-defined security tables or procedures)
+102 -- Audit Database Scope GDR
+103 -- Audit Object GDR Event
+104 -- Audit AddLogin Event
+105 -- Audit Login GDR Event
+108 -- Audit Add Login to Server Role Event
+109 -- Audit Add DB User Event
+110 -- Audit Add Member to DB Role Event
+111 -- Audit Add Role Event
+162 -- User error message
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+177 -- Audit Server Principal Management Event
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all GRANT, ALTER SERVER ROLE . . . ADD MEMBER . . ., and/or ALTER ROLE . . . ADD MEMBER . . . actions, all INSERT and UPDATE actions on any locally-defined permissions tables, and all EXECUTE actions on any system or locally-defined permissions-related procedures and functions, are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name IN
+(
+'DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_OBJECT_PERMISSION_CHANGE_GROUP',
+'DATABASE_OWNERSHIP_CHANGE_GROUP',
+'DATABASE_PERMISSION_CHANGE_GROUP',
+'DATABASE_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP',
+'SERVER_OBJECT_PERMISSION_CHANGE_GROUP',
+'SERVER_PERMISSION_CHANGE_GROUP',
+'SERVER_ROLE_MEMBER_CHANGE_GROUP',
+'SCHEMA_OBJECT_ACCESS_GROUP'
+);
+GO
+
+Examine the list produced by the query.
+
+If any locally-defined permissions tables, procedures, or functions exist, and the list does not include the audit action group SCHEMA_OBJECT_ACCESS_GROUP, this is a finding.
+
+If any of the other audit action groups specified in the WHERE clause are not included in the list, this is a finding.
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE" on every row, this is a finding.SRG-APP-000503-DB-000350<GroupDescription></GroupDescription>SQL4-00-037500SQL Server must generate Trace or Audit records when successful logons or connections occur.<VulnDiscussion>For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to SQL Server.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82419V-67929CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+To add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (SUCCESSFUL_LOGIN_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GO
+
+Alternatively, enable "Both failed and successful logins".
+In SQL Management Studio:
+Right-click on the instance.
+>> Select "Properties".
+>> Select "Security" on the left side.
+>> Select "Both failed and successful logins".
+>> Click "OK".If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+14 -- Audit Login
+15 -- Audit Logout
+16 -- Attention
+17 -- ExistingConnection
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the server-level audit action group SUCCESSFUL_LOGIN_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all logons and connections are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'SUCCESSFUL_LOGIN_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the "SUCCESSFUL_LOGIN_GROUP" is returned with the audited_result_column of "SUCCESS" or "SUCCESS AND FAILURE", this is not a finding.
+
+If "SUCCESSFUL_LOGIN_GROUP" is not in the active audit, determine whether "Both failed and successful logins" is enabled.
+
+In SQL Management Studio:
+Right-click on the instance.
+>> Select "Properties".
+>> Select "Security" on the left side.
+>> Check the setting for "Login auditing".
+
+If "Both failed and successful logins" is not selected, this is a finding.SRG-APP-000503-DB-000351<GroupDescription></GroupDescription>SQL4-00-037600SQL Server must generate Trace or Audit records when unsuccessful logons or connection attempts occur.<VulnDiscussion>For completeness of forensic analysis, it is necessary to track failed attempts to log on to SQL Server. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82421V-67931CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+To add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (FAILED_LOGIN_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GO
+
+Alternatively, enable "Both failed and successful logins".
+In SQL Management Studio:
+Right-click on the instance.
+>> Select "Properties".
+>> Select "Security" on the left side.
+>> Select "Both failed and successful logins".
+>> Click "OK".If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event ID should be among those listed; if not, this is a finding:
+
+20 -- Audit Login Failed
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the server-level audit action group FAILED_LOGIN_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all logons and connections are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'FAILED_LOGIN_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the "FAILED_LOGIN_GROUP" is returned with the audited_result_column of "FAILURE" or "SUCCESS AND FAILURE", this is not a finding.
+
+If "FAILED_LOGIN_GROUP" is not in the active audit, determine whether "Both failed and successful logins" is enabled.
+
+In SQL Management Studio:
+Right-click on the instance.
+>> Select "Properties".
+>> Select "Security" on the left side.
+>> Check the setting for "Login auditing".
+
+If "Both failed and successful logins" is not selected, this is a finding.SRG-APP-000504-DB-000354<GroupDescription></GroupDescription>SQL4-00-037700SQL Server must generate Trace or Audit records for all privileged activities or other system-level access.<VulnDiscussion>Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+System documentation should include a definition of the functionality considered privileged.
+
+A privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. This encompasses, but is not necessarily limited to:
+CREATE
+ALTER
+DROP
+GRANT
+REVOKE
+DENY
+
+There may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples in SQL include:
+
+TRUNCATE TABLE;
+DELETE, or
+DELETE affecting more than n rows, for some n, or
+DELETE without a WHERE clause;
+
+UPDATE or
+UPDATE affecting more than n rows, for some n, or
+UPDATE without a WHERE clause;
+
+any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.
+
+Note that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82423V-67933CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+For additional actions considered privileged, identify the available event class IDs, or define custom event class IDs (integers in the range 82-91). Add blocks of code for these event IDs to Trace.sql.
+
+Execute Trace.sql.
+
+Define triggers as necessary to support data capture.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used to create an audit; supplement it as necessary to capture any additional, locally-defined privileged activity.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+82-91 -- User-defined Event (required only where there are locally-defined auditable actions)
+115 -- Audit Backup/Restore Event
+116 -- Audit DBCC Event
+117 -- Audit Change Audit Event
+118 -- Audit Object Derived Permission Event
+128 -- Audit Database Management Event
+129 -- Audit Database Object Management Event
+130 -- Audit Database Principal Management Event
+131 -- Audit Schema Object Management Event
+164 -- Object:Altered
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+175 -- Audit Server Alter Trace Event
+176 -- Audit Server Object Management Event
+177 -- Audit Server Principal Management Event
+
+From the system security plan, obtain the list of any other actions considered privileged. For each, verify that event IDs (and triggers, where necessary) have been defined to capture audit information for these.
+
+If they have not, this is a finding.
+
+
+If SQL Server Audit is in use, verify that execution of all CREATE, ALTER, DROP, GRANT, REVOKE and DENY statements, all execution of security-related functions and procedures, and all other actions locally defined as privileged, is audited.
+
+If any such actions are not audited, this is a finding.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all configuration-related actions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>');
+GO
+
+Examine the list produced by the query.
+
+If the audited_result column is not "SUCCESS" or "SUCCESS AND FAILURE" on every row, this is a finding.
+
+If any of the audit action groups listed below is not included in the query results, this is a finding.
+
+If there are locally-defined privileged activities not encompassed by the list below and not tracked in any other way, this is a finding.
+
+APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
+AUDIT_CHANGE_GROUP
+BACKUP_RESTORE_GROUP
+DATABASE_CHANGE_GROUP
+DATABASE_OBJECT_ACCESS_GROUP
+DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
+DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
+DATABASE_OPERATION_GROUP
+DATABASE_OWNERSHIP_CHANGE_GROUP
+DATABASE_PERMISSION_CHANGE_GROUP
+DATABASE_PRINCIPAL_CHANGE_GROUP
+DATABASE_PRINCIPAL_IMPERSONATION_GROUP
+DATABASE_ROLE_MEMBER_CHANGE_GROUP
+DBCC_GROUP
+FAILED_LOGIN_GROUP
+LOGIN_CHANGE_PASSWORD_GROUP
+LOGOUT_GROUP
+SCHEMA_OBJECT_ACCESS_GROUP
+SCHEMA_OBJECT_CHANGE_GROUP
+SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
+SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OBJECT_CHANGE_GROUP
+SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
+SERVER_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OPERATION_GROUP
+SERVER_PERMISSION_CHANGE_GROUP
+SERVER_PRINCIPAL_CHANGE_GROUP
+SERVER_PRINCIPAL_IMPERSONATION_GROUP
+SERVER_ROLE_MEMBER_CHANGE_GROUP
+SERVER_STATE_CHANGE_GROUP
+SUCCESSFUL_LOGIN_GROUP
+TRACE_CHANGE_GROUPSRG-APP-000504-DB-000355<GroupDescription></GroupDescription>SQL4-00-037800SQL Server must generate Trace or Audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.<VulnDiscussion>Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.
+
+System documentation should include a definition of the functionality considered privileged.
+
+A privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. This encompasses, but is not necessarily limited to:
+CREATE
+ALTER
+DROP
+GRANT
+REVOKE
+DENY
+
+There may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples in SQL include:
+
+TRUNCATE TABLE;
+DELETE, or
+DELETE affecting more than n rows, for some n, or
+DELETE without a WHERE clause;
+
+UPDATE or
+UPDATE affecting more than n rows, for some n, or
+UPDATE without a WHERE clause;
+
+any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.
+
+Note that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82425V-67935CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+For additional actions considered privileged, identify the available event class IDs, or define custom event class IDs (integers in the range 82-91). Add blocks of code for these event IDs to Trace.sql.
+
+Execute Trace.sql.
+
+Define triggers as necessary to support data capture.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used to create an audit; supplement it as necessary to capture any additional, locally-defined privileged activity.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should all be among those listed; if not, this is a finding:
+
+46 -- Object:Created
+47 -- Object:Deleted
+82-91 -- User-defined Event (required only where there are locally-defined auditable actions)
+115 -- Audit Backup/Restore Event
+116 -- Audit DBCC Event
+117 -- Audit Change Audit Event
+118 -- Audit Object Derived Permission Event
+128 -- Audit Database Management Event
+129 -- Audit Database Object Management Event
+130 -- Audit Database Principal Management Event
+131 -- Audit Schema Object Management Event
+164 -- Object:Altered
+170 -- Audit Server Scope GDR Event
+171 -- Audit Server Object GDR Event
+172 -- Audit Database Object GDR Event
+173 -- Audit Server Operation Event
+175 -- Audit Server Alter Trace Event
+176 -- Audit Server Object Management Event
+177 -- Audit Server Principal Management Event
+
+From the system security plan, obtain the list of any other actions considered privileged. For each, verify that event IDs (and triggers, where necessary) have been defined to capture audit information for these.
+
+If they have not been defined to capture audit information, this is a finding.
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses broad, server-level audit action groups for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following code to verify that all configuration-related actions are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>');
+GO
+
+Examine the list produced by the query..
+
+If the audited_result column is not "FAILURE" or "SUCCESS AND FAILURE" on every row, this is a finding.
+
+If any of the audit action groups listed below is not included in the query results, this is a finding.
+
+If there are locally-defined privileged activities not encompassed by the list below and not tracked in any other way, this is a finding.
+
+APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
+AUDIT_CHANGE_GROUP
+BACKUP_RESTORE_GROUP
+DATABASE_CHANGE_GROUP
+DATABASE_OBJECT_ACCESS_GROUP
+DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
+DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
+DATABASE_OPERATION_GROUP
+DATABASE_OWNERSHIP_CHANGE_GROUP
+DATABASE_PERMISSION_CHANGE_GROUP
+DATABASE_PRINCIPAL_CHANGE_GROUP
+DATABASE_PRINCIPAL_IMPERSONATION_GROUP
+DATABASE_ROLE_MEMBER_CHANGE_GROUP
+DBCC_GROUP
+FAILED_LOGIN_GROUP
+LOGIN_CHANGE_PASSWORD_GROUP
+LOGOUT_GROUP
+SCHEMA_OBJECT_ACCESS_GROUP
+SCHEMA_OBJECT_CHANGE_GROUP
+SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
+SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OBJECT_CHANGE_GROUP
+SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
+SERVER_OBJECT_PERMISSION_CHANGE_GROUP
+SERVER_OPERATION_GROUP
+SERVER_PERMISSION_CHANGE_GROUP
+SERVER_PRINCIPAL_CHANGE_GROUP
+SERVER_PRINCIPAL_IMPERSONATION_GROUP
+SERVER_ROLE_MEMBER_CHANGE_GROUP
+SERVER_STATE_CHANGE_GROUP
+SUCCESSFUL_LOGIN_GROUP
+TRACE_CHANGE_GROUPSRG-APP-000505-DB-000352<GroupDescription></GroupDescription>SQL4-00-037900SQL Server must generate Trace or Audit records when logoffs or disconnections occur.<VulnDiscussion>For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to and off from SQL Server.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82427V-67937CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, design and deploy a SQL Server Audit that captures all auditable events. The script provided in the supplemental file Audit.sql can be used for this.
+
+Alternatively, to add the necessary data capture to an existing server audit specification, run the script:
+USE [master];
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = OFF);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> ADD (LOGOUT_GROUP);
+GO
+ALTER SERVER AUDIT SPECIFICATION <server_audit_specification_name> WITH (STATE = ON);
+GOIf neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+14 -- Audit Login
+15 -- Audit Logout
+16 -- Attention
+17 -- ExistingConnection
+
+
+If SQL Server Audit is in use, proceed as follows.
+
+The basic SQL Server Audit configuration provided in the supplemental file Audit.sql uses the server-level audit action group LOGOUT_GROUP for this purpose. SQL Server Audit's flexibility makes other techniques possible. If an alternative technique is in use and demonstrated effective, this is not a finding.
+
+Determine the name(s) of the server audit specification(s) in use.
+
+To look at audits and audit specifications, in Management Studio's object explorer, expand
+<server name> >> Security >> Audits
+and
+<server name> >> Security >> Server Audit Specifications.
+Also,
+<server name> >> Databases >> <database name> >> Security >> Database Audit Specifications.
+
+Alternatively, review the contents of the system views with "audit" in their names.
+
+Run the following to verify that all logons and connections are being audited:
+USE [master];
+GO
+SELECT * FROM sys.server_audit_specification_details WHERE server_specification_id =
+(SELECT server_specification_id FROM sys.server_audit_specifications WHERE [name] = '<server_audit_specification_name>')
+AND audit_action_name = 'LOGOUT_GROUP';
+GO
+
+If no row is returned, this is a finding.
+
+If the audited_result column is not "SUCCESS AND FAILURE", this is a finding.SRG-APP-000506-DB-000353<GroupDescription></GroupDescription>SQL4-00-038000SQL Server must generate Trace or Audit records when concurrent logons/connections by the same user from different workstations occur.<VulnDiscussion>For completeness of forensic analysis, it is necessary to track who logs on to SQL Server.
+
+Concurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised.
+
+If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), then it is not mandatory to create additional log entries specifically for this.
+
+Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82429V-67939CCI-000172Where SQL Server Trace is in use, define and enable a trace that captures all auditable events. The script provided in the supplemental file Trace.sql can be used to do this.
+
+Where SQL Server Audit is in use, enable the SUCCESSFUL_LOGIN_GROUP and LOGOUT_GROUP, as described in other STIG requirements.If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
+
+If SQL Server Trace is in use for audit purposes, verify that all required events are being audited. From the query prompt:
+SELECT * FROM sys.traces;
+All currently defined traces for the SQL server instance will be listed.
+
+If no traces are returned, this is a finding.
+
+Determine the trace(s) being used for the auditing requirement.
+In the following, replace # with a trace ID being used for the auditing requirements.
+From the query prompt:
+SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
+
+The following required event IDs should be among those listed; if not, this is a finding:
+
+14 -- Audit Login
+15 -- Audit Logout
+16 -- Attention
+17 -- ExistingConnection
+
+If SQL Server Audit is in use, verify that the SUCCESSFUL_LOGIN_GROUP and LOGOUT_GROUP are enabled, as described in other STIG requirements; if not, this is a finding.SRG-APP-000515-DB-000318<GroupDescription></GroupDescription>SQL4-00-038700SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+The DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.
+
+This applies to all data output for audit trail purposes, whether produced by SQL Server Audit, Trace, or other means; but excluding audit-trail information built into application data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82431V-67941CCI-001851Deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection.Review the system documentation for a description of how audit records are off-loaded.
+
+If the database server has a continuous network connection to the centralized log management system, but the SQL Server audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding.
+
+If the database server does not have a continuous network connection to the centralized log management system, and the SQL Server audit records are not transferred to the centralized log management system weekly or more often, this is a finding.SRG-APP-000164-DB-000401<GroupDescription></GroupDescription>SQL4-00-038900If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.<VulnDiscussion>Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.
+
+The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.
+
+In such cases, the DoD standards for password complexity must be implemented.
+
+The requirements for password complexity are:
+a. minimum of 15 Characters, 1 of each of the following character sets:
+- Upper-case
+- Lower-case
+- Numeric
+- Special characters (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)];
+b. Minimum number of characters changed from previous password: 50% of the minimum password length (that is, 8).
+
+To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82433V-67943CCI-000192CCI-000193CCI-000194CCI-000195CCI-000205CCI-001619For each SQL Server Login identified in the Check as out of compliance:
+In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Policy. Click OK.
+
+Alternatively, for each identified Login, run the statement:
+ALTER LOGIN <login name> CHECK_POLICY = ON;Run the statement:
+SELECT
+ name
+FROM
+ sys.sql_logins
+WHERE
+ type_desc = 'SQL_LOGIN'
+ AND is_disabled = 0
+ AND is_policy_checked = 0 ;
+
+If no account names are listed, this is not a finding.
+
+For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules, if it is not, this is a finding.SRG-APP-000164-DB-000401<GroupDescription></GroupDescription>SQL4-00-038910If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.<VulnDiscussion>Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.
+
+The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.
+
+In such cases, the DoD standards for password lifetime must be implemented.
+
+The requirements for password lifetime are:
+a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 days
+b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 days
+c. Number of password changes before an old one may be reused: Minimum of 5.
+
+To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82435V-67945CCI-000198CCI-000199CCI-000200For each SQL Server Login identified in the Check as out of compliance:
+In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK.
+
+Alternatively, for each identified Login, run the statement:
+ALTER LOGIN <login name> CHECK_EXPIRATION = ON;Run the statement:
+SELECT
+ name
+FROM
+ sys.sql_logins
+WHERE
+ type_desc = 'SQL_LOGIN'
+ AND is_disabled = 0
+ AND is_expiration_checked = 0;
+
+If no account names are listed, this is not a finding.
+
+For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.SRG-APP-000178-DB-000083<GroupDescription></GroupDescription>SQL4-00-039010Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.<VulnDiscussion>To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.
+
+Obfuscation of user-provided information when typed into the system is a method used in addressing this risk.
+
+For example, displaying asterisks when a user types in a password or PIN, is an example of obscuring feedback of authentication information.
+
+Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice must be prohibited and disabled to prevent shoulder surfing.
+
+This calls for review of applications, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82357V-67867CCI-000206Configure or modify applications to prohibit display of passwords in clear text.Determine whether any applications that access the database allow for entry of the account name and password, or PIN.
+
+If any do, determine whether these applications obfuscate authentication data; if they do not, this is a finding.SRG-APP-000178-DB-000083<GroupDescription></GroupDescription>SQL4-00-039020When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.<VulnDiscussion>To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.
+
+Obfuscation of user-provided information when typed into the system is a method used in addressing this risk.
+
+For example, displaying asterisks when a user types in a password or PIN, is an example of obscuring feedback of authentication information.
+
+This requirement is applicable when mixed-mode authentication is enabled. When this is the case, password-authenticated accounts can be created in and authenticated by SQL Server. Other STIG requirements prohibit the use of mixed-mode authentication except when justified and approved. This deals with the exceptions.
+
+SQLCMD and other command-line tools are part of any SQL Server installation. These tools can accept a plain-text password, but do offer alternative techniques. Since the typical user of these tools is a database administrator, the consequences of password compromise are particularly serious. Therefore, the use of plain-text passwords must be prohibited, as a matter of practice and procedure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-82359V-67869CCI-000206Where possible, change the login mode to Windows-only:
+USE [master]
+GO
+EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1;
+GO
+
+If mixed-mode authentication is necessary, then for SQLCMD, which cannot be configured not to accept a plain-text password when mixed-mode authentication is enabled, and any other essential tool with the same limitation:
+1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.
+2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden.Run this query to determine whether SQL Server authentication is enabled:
+EXEC master.sys.xp_loginconfig 'login mode';
+
+If the config_value returned is "Windows NT Authentication", this is not a finding.
+
+For SQLCMD, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained; if not, this is a finding.
+
+Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.SRG-APP-000516-DB-000363<GroupDescription></GroupDescription>SQL4-00-039100The SQL Server Browser service must be disabled if its use is not necessary..<VulnDiscussion>The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers to the instances and to set and maintain those port numbers in client systems. It enables administrators and authorized users to discover database management system instances, and the databases they support, over the network.
+
+This convenience also presents the possibility of unauthorized individuals gaining knowledge of the available SQL Server resources. Therefore, it is necessary to consider whether the SQL Server Browser is needed. Typically, if only a single instance is installed, using the default name (MSSQLSERVER) and port assignment (1433), the Browser is not adding any value. The more complex the installation, the more likely SQL Server Browser is to be helpful.
+
+This requirement is not intended to prohibit use of the Browser service in any circumstances; rather, it calls for administrators and management to consider whether the benefits of its use outweigh the potential negative consequences.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991SV-85245V-70623CCI-000366If SQL Server Browser is needed, document the justification and obtain the appropriate approvals.
+
+Where SQL Server Browser is judged unnecessary, in the Services tool, double-click on "SQL Server Browser" to open its "Properties" dialog.
+
+Set Startup Type to "Disabled".
+
+If Service Status is "Running", click on "Stop".
+
+Click on "OK".If the need for the SQL Server Browser service is documented, with appropriate approval, this is not a finding.
+
+Open the Services tool.
+
+Either navigate, via the Windows Start Menu and/or Control Panel, to "Administrative Tools", and select "Services"; or at a command prompt, type "services.msc" and press the "Enter" key.
+
+Scroll to "SQL Server Browser".
+
+If its Startup Type is not shown as "Disabled", this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>SQL4-00-039200Microsoft SQL Server products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.
+Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
+
+When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2014 InstanceDISADPMS TargetMS SQL Server 2014 Instance3991CCI-003376Upgrade unsupported DBMS or unsupported components to a supported version of the product.Review the version and release information.
+
+Verify the SQL Server version via one of the following methods:
+Connect to the server by using Object Explorer in SQL Server Management Studio. After Object Explorer is connected, it will show the version information in parentheses, together with the user name that is used to connect to the specific instance of SQL Server.
+
+Or, from SQL Server Management Studio:
+
+SELECT @@VERSION;
+
+More information for finding the version is available at the following link:
+https://learn.microsoft.com/en-us/troubleshoot/sql/releases/find-my-sql-version
+
+SQL Server 2014 is no longer supported by the vendor. If the system is running SQL Server 2014 or earlier, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_MS_Visio_2013_STIG_V1R5_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Visio_2013_STIG_V1R5_Manual-xccdf.xml
new file mode 100644
index 000000000..7108e4fe1
--- /dev/null
+++ b/benchmarks/DISA/U_MS_Visio_2013_STIG_V1R5_Manual-xccdf.xml
@@ -0,0 +1,91 @@
+acceptedMicrosoft Visio 2013 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 24 Jul 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000210<GroupDescription></GroupDescription>DTOO104Disabling of user name and password syntax from being used in URLs must be enforced.<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Website but actually opens a deceptive (spoofed) Website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
+
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40730SV-52788CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place check in 'visio.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" is "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO111The Internet Explorer Bind to Object functionality must be enabled.<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
+This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40731SV-52789CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to object" to "Enabled" and place check in 'visio.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to object" is set to "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO117The Saved from URL mark must be selected to enforce Internet zone processing.<VulnDiscussion>Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet; Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40732SV-52790CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place check in 'visio.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" is "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO123Navigation to URLs embedded in Office products must be blocked.<VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40733SV-52791CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and 'visio.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" is "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO124Scripted Window Security must be enforced.<VulnDiscussion>Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
+-Create browser windows appearing to be from the local operating system.
+-Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
+-Overlay parent windows with their own browser windows to hide important system information, choices or prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40734SV-52792CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and 'visio.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO126Add-on Management functionality must be allowed.<VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40735SV-52793CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and place check in 'visio.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\software\Microsoft\internet explorer\main\featurecontrol\feature_addon_management
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO127Add-ins to Office applications must be signed by a Trusted Publisher.<VulnDiscussion>Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-in. As a result, malicious code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40736SV-52794CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\Visio\security
+
+Criteria: If the value requireaddinsig is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO129Links that invoke instances of IE from within an Office product must be blocked.<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40737SV-52795CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and place check in 'visio.exe' check box.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" is "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000131<GroupDescription></GroupDescription>DTOO131Trust Bar Notifications for unsigned applications must be disabled.<VulnDiscussion>If an application is configured to require all add-ins to be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message informing users about the unsigned add-in. If a user is allowed to make the determination to allow an unsigned add-in, it increases the risk of malicious code being introduced onto the user's computer or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40738SV-52796CCI-001749Set the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "Disable Trust Bar Notification for unsigned application add-ins and block them" to "Enabled".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "Disable Trust Bar Notification for unsigned application add-ins and block them" is set to "Enabled".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\Visio\security
+
+Criteria: If the value notbpromptunsignedaddin is REG_DWORD = 1, this is not a finding.SRG-APP-000209<GroupDescription></GroupDescription>DTOO132File downloads must be configured for proper restrictions.<VulnDiscussion>Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40739SV-52797CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and 'visio.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'Visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000112<GroupDescription></GroupDescription>DTOO209Protection from zone elevation must be enforced.<VulnDiscussion>Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40740SV-52798CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and 'visio.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO211ActiveX installs must be configured for proper restrictions.<VulnDiscussion>Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations and these prompts display to users. This could allow malicious code to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40741SV-52799CCI-002460Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and 'visio.exe' is checked.Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'visio.exe' is checked.
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+
+Criteria: If the value visio.exe is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO304Warning Bar settings for VBA macros must be configured.<VulnDiscussion>When users open files containing VBA Macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389V-40742SV-52800CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "VBA Macro Notification Settings" to "Enabled: Disable all with notification".Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2013 -> Visio Options -> Security -> Trust Center -> "VBA Macro Notification Settings" is set to "Enabled: Disable all with notification".
+
+Procedure: Use the Windows Registry Editor to navigate to the following key:
+
+HKCU\software\policies\Microsoft\office\15.0\Visio\security
+
+Criteria: If the value vbawarnings is REG_DWORD = 2, this is not a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTOO999-Visio13The version of Visio running on the system must be a supported version.<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
+
+Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
+
+This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.
+
+The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Visio 2013DISADPMS TargetMicrosoft Visio 20135389CCI-002605Upgrade to a supported version.Visio 2013 is no longer supported by the vendor. If the system is running Visio 2013, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_RHEL_7_STIG_V3R15_Manual-xccdf.xml b/benchmarks/DISA/U_RHEL_7_STIG_V3R15_Manual-xccdf.xml
new file mode 100644
index 000000000..f0d88f745
--- /dev/null
+++ b/benchmarks/DISA/U_RHEL_7_STIG_V3R15_Manual-xccdf.xml
@@ -0,0 +1,4849 @@
+acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 15 Benchmark Date: 24 Jul 20243.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
+
+Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file:
+
+ # rpm -qf <filename>
+
+Reset the user and group ownership of files within a package with the following command:
+
+ # rpm --setugids <packagename>
+
+
+Reset the permissions of files within a package with the following command:
+
+ # rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
+
+Check the default file permissions, ownership, and group membership of system files and commands with the following command:
+
+ # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done
+
+ /var/log/gdm 040755 root root
+ /etc/audisp/audisp-remote.conf 0100640 root root
+ /usr/bin/passwd 0104755 root root
+
+For each file returned, verify the current permissions, ownership, and group membership:
+ # ls -la <filename>
+
+ -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf
+
+If the file is more permissive than the default permissions, this is a finding.
+
+If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.
+
+If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010030The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71859SV-86483CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+# touch /etc/dconf/db/local.d/01-banner-message
+
+Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
+
+[org/gnome/login-screen]
+banner-message-enable=true
+
+Update the system databases:
+
+# dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Check to see if the operating system displays a banner at the logon screen with the following command:
+
+# grep banner-message-enable /etc/dconf/db/local.d/*
+banner-message-enable=true
+
+If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010040The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy.
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71861SV-86485CCI-000048Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
+
+Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
+
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+# touch /etc/dconf/db/local.d/01-banner-message
+
+Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
+
+[org/gnome/login-screen]
+
+banner-message-enable=true
+
+banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
+
+Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
+
+Run the following command to update the database:
+# dconf updateVerify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
+
+Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
+
+Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:
+
+# grep banner-message-text /etc/dconf/db/local.d/*
+banner-message-text=
+'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
+
+Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
+
+If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010050The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71863SV-86487CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file.
+
+Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.
+
+Check to see if the operating system displays a banner at the command line logon screen with the following command:
+
+# more /etc/issue
+
+The command should return the following text:
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
+
+If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-07-010060The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86515V-71891CCI-000056Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:
+
+ # touch /etc/dconf/db/local.d/00-screensaver
+
+Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines:
+
+ # Set this to true to lock the screen when the screensaver activates
+ lock-enabled=true
+
+Update the system databases:
+
+ # dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Check to see if the screen lock is enabled with the following command:
+
+ # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks
+ lock-enabled=true
+
+If the "lock-enabled" setting is missing or is not set to "true", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-010061The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.<VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77819SV-92515CCI-001948CCI-001953CCI-001954Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+# touch /etc/dconf/db/local.d/00-defaults
+
+Edit "[org/gnome/login-screen]" and add or update the following line:
+enable-smartcard-authentication=true
+
+Update the system databases:
+# dconf updateVerify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+
+# grep system-db /etc/dconf/profile/user
+
+system-db:local
+
+Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.
+
+# grep enable-smartcard-authentication /etc/dconf/db/local.d/*
+
+enable-smartcard-authentication=true
+
+If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010070The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71893SV-86517CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+ # touch /etc/dconf/db/local.d/00-screensaver
+
+Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:
+
+ [org/gnome/desktop/session]
+ # Set the lock time out to 900 seconds before the session is considered idle
+ idle-delay=uint32 900
+
+You must include the "uint32" along with the integer key values as shown.
+
+Update the system databases:
+
+ # dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:
+
+ # grep -i idle-delay /etc/dconf/db/local.d/*
+ idle-delay=uint32 900
+
+If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010081The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+ # touch /etc/dconf/db/local.d/locks/session
+
+Add the setting to lock the screensaver lock delay:
+
+ /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+ # grep system-db /etc/dconf/profile/user
+ system-db:local
+
+Check for the lock delay setting with the following command:
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+ # grep -i lock-delay /etc/dconf/db/local.d/locks/*
+ /org/gnome/desktop/screensaver/lock-delay
+
+If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010082The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.
+
+ # touch /etc/dconf/db/local.d/locks/session
+
+Add the setting to lock the session idle delay:
+
+ /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+ # grep system-db /etc/dconf/profile/user
+ system-db:local
+
+Check for the session idle delay setting with the following command:
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+ # grep -i idle-delay /etc/dconf/db/local.d/locks/*
+ /org/gnome/desktop/session/idle-delay
+
+If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010100The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+ # touch /etc/dconf/db/local.d/00-screensaver
+
+Add the setting to enable screensaver locking after 15 minutes of inactivity:
+
+ [org/gnome/desktop/screensaver]
+
+ idle-activation-enabled=true
+
+Update the system databases:
+
+ # dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Note: If the system does not have a GNOME installed, this requirement is Not Applicable.
+
+Check for the session lock settings with the following commands:
+
+ # grep -i idle-activation-enabled /etc/dconf/db/local.d/*
+ idle-activation-enabled=true
+
+If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010101The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+ # touch /etc/dconf/db/local.d/locks/session
+
+Add the setting to lock the screensaver idle-activation-enabled setting:
+
+ /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+ # grep system-db /etc/dconf/profile/user
+
+ system-db:local
+
+Check for the idle-activation-enabled setting with the following command:
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+ # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*
+
+ /org/gnome/desktop/screensaver/idle-activation-enabled
+
+If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010110The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+ # touch /etc/dconf/db/local.d/00-screensaver
+
+Add the setting to enable session locking when a screensaver is activated:
+
+ [org/gnome/desktop/screensaver]
+ lock-delay=uint32 5
+
+The "uint32" must be included along with the integer key values as shown.
+
+Update the system databases:
+
+ # dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:
+
+ # grep -i lock-delay /etc/dconf/db/local.d/*
+ lock-delay=uint32 5
+
+If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010118The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.<VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95715V-81003CCI-000192Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.
+
+Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):
+
+password substack system-authVerify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:
+
+# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
+password substack system-auth
+
+If no results are returned, the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010119The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87811V-73159CCI-000192Configure the operating system to use "pwquality" to enforce password complexity rules.
+
+Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value):
+
+ password requisite pam_pwquality.so retry=3
+
+Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules.
+
+Check for the use of "pwquality" with the following command:
+
+ # cat /etc/pam.d/system-auth | grep pam_pwquality
+
+ password requisite pam_pwquality.so retry=3
+
+If the command does not return an uncommented line containing the value "pam_pwquality.so" as shown, this is a finding.
+
+If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010120The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86527V-71903CCI-000192Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+ucredit = -1Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
+
+Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:
+
+# grep ucredit /etc/security/pwquality.conf
+ucredit = -1
+
+If the value of "ucredit" is not set to a negative value, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-07-010130The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86529V-71905CCI-000193Configure the system to require at least one lower-case character when creating or changing a password.
+
+Add or modify the following line
+in "/etc/security/pwquality.conf":
+
+lcredit = -1Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
+
+Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:
+
+# grep lcredit /etc/security/pwquality.conf
+lcredit = -1
+
+If the value of "lcredit" is not set to a negative value, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-07-010140The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86531V-71907CCI-000194Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
+
+Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+
+dcredit = -1Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
+
+Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:
+
+# grep dcredit /etc/security/pwquality.conf
+dcredit = -1
+
+If the value of "dcredit" is not set to a negative value, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-07-010150The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86533V-71909CCI-001619Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+ocredit = -1Verify the operating system enforces password complexity by requiring that at least one special character be used.
+
+Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
+
+Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:
+
+# grep ocredit /etc/security/pwquality.conf
+ocredit=-1
+
+If the value of "ocredit" is not set to a negative value, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010160The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71911SV-86535CCI-000195Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+difok = 8The "difok" option sets the number of characters in a password that must not be present in the old password.
+
+Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+
+# grep difok /etc/security/pwquality.conf
+difok = 8
+
+If the value of "difok" is set to less than "8", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010170The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71913SV-86537CCI-000195Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
+
+Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
+
+minclass = 4The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).
+
+Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+
+# grep minclass /etc/security/pwquality.conf
+minclass = 4
+
+If the value of "minclass" is set to less than "4", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010180The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86539V-71915CCI-000195Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
+
+Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
+
+maxrepeat = 3The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password.
+
+Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+# grep maxrepeat /etc/security/pwquality.conf
+maxrepeat = 3
+
+If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86541V-71917CCI-000195Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
+
+Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
+
+maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password.
+
+Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+$ sudo grep maxclassrepeat /etc/security/pwquality.conf
+maxclassrepeat = 4
+
+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords.
+
+Add the following line in "/etc/pam.d/system-auth":
+ password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
+Add the following line in "/etc/pam.d/password-auth":
+ password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
+Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
+
+Check that the system is configured to create SHA512 hashed passwords with the following command:
+
+ # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth
+
+Outcome should look like following:
+ /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+ /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
+If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010210The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71921SV-86545CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords.
+
+Add or update the following line in "/etc/login.defs":
+
+ENCRYPT_METHOD SHA512Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
+
+Check that the system is configured to create SHA512 hashed passwords with the following command:
+
+# grep -i encrypt /etc/login.defs
+ENCRYPT_METHOD SHA512
+
+If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords.
+
+Add or update the following line in "/etc/libuser.conf" in the [defaults] section:
+
+crypt_style = sha512Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512".
+
+Check that the system is configured to create "SHA512" hashed passwords with the following command:
+
+# grep -i sha512 /etc/libuser.conf
+
+crypt_style = sha512
+
+If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010230The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71925SV-86549CCI-000198Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.
+
+Add the following line in "/etc/login.defs" (or modify the line to have the required value):
+
+PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
+
+Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:
+
+# grep -i pass_min_days /etc/login.defs
+PASS_MIN_DAYS 1
+
+If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010240The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86551V-71927CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
+
+# chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater.
+
+# awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
+
+If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010250The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71929SV-86553CCI-000199Configure the operating system to enforce a 60-day maximum password lifetime restriction.
+
+Add the following line in "/etc/login.defs" (or modify the line to have the required value):
+
+PASS_MAX_DAYS 60If passwords are not being used for authentication, this is Not Applicable.
+
+Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.
+
+Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command:
+
+# grep -i pass_max_days /etc/login.defs
+PASS_MAX_DAYS 60
+
+If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010260The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71931SV-86555CCI-000199Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
+
+# chage -M 60 [user]Check whether the maximum time period for existing passwords is restricted to 60 days.
+
+# awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow
+
+If any results are returned that are not associated with a system account, this is a finding.
+SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-07-010270The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71933SV-86557CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations.
+
+Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value):
+
+password requisite pam_pwhistory.so remember=5 retry=3
+
+Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value):
+
+password requisite pam_pwhistory.so use_authtok remember=5 retry=3
+
+Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations.
+
+Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
+
+ # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
+ password requisite pam_pwhistory.so use_authtok remember=5 retry=3
+
+If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-07-010280The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71935SV-86559CCI-000205Configure operating system to enforce a minimum 15-character password length.
+
+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
+minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
+
+Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:
+
+# grep minlen /etc/security/pwquality.conf
+minlen = 15
+
+If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
+
+Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
+
+Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command:
+
+ # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
+
+If this produces any output, it may be possible to log on with accounts with empty passwords.
+
+If null passwords can be used, this is a finding.SRG-OS-000106-GPOS-00053<GroupDescription></GroupDescription>RHEL-07-010300The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86563V-71939CCI-000766To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
+
+PermitEmptyPasswords no
+
+The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
+
+# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
+PermitEmptyPasswords no
+
+If no line, a commented line, or a line indicating the value "no" is returned, the required value is set.
+
+If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+
+Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password has expired.
+
+Add the following line to "/etc/default/useradd" (or modify the line to have the required value):
+
+ INACTIVE=35
+
+DOD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.If passwords are not being used for authentication, this is Not Applicable.
+
+Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password has expired with the following command:
+
+ # grep -i inactive /etc/default/useradd
+ INACTIVE=35
+
+If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
+
+Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth sufficient pam_unix.so try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
+
+ # grep pam_faillock.so /etc/pam.d/password-auth
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+Note: The maximum configurable value for "unlock_time" is "604800".
+
+If any line referencing the "pam_faillock.so" module is commented out, this is a finding.
+
+ # grep pam_faillock.so /etc/pam.d/system-auth
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
+
+If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding.
+
+Note: The maximum configurable value for "unlock_time" is "604800".
+
+If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
+
+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71945SV-86569CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made.
+
+Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth sufficient pam_unix.so try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made.
+
+ # grep pam_faillock.so /etc/pam.d/password-auth
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.
+
+ # grep pam_faillock.so /etc/pam.d/system-auth
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+account required pam_faillock.so
+
+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71947SV-86571CCI-002038Configure the operating system to require users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" file with the following command:
+$ sudo visudo
+
+Remove any occurrences of "NOPASSWD" tags in the file.
+
+Check the configuration of the /etc/sudoers.d/* files with the following command:
+$ sudo grep -ir nopasswd /etc/sudoers.d
+
+Remove any occurrences of "NOPASSWD" tags in the file.Verify the operating system requires users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
+
+$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d
+
+If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71949SV-86573CCI-002038Configure the operating system to require users to reauthenticate for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" file with the following command:
+
+# visudo
+Remove any occurrences of "!authenticate" tags in the file.
+
+Check the configuration of the "/etc/sudoers.d/*" files with the following command:
+
+# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
+Remove any occurrences of "!authenticate" tags in the file(s).Verify the operating system requires users to reauthenticate for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
+
+# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
+
+If any uncommented line is found with a "!authenticate" tag, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-07-010430The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
+
+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86575V-71951CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
+
+Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater:
+
+FAIL_DELAY 4Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.
+
+Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command:
+
+# grep -i fail_delay /etc/login.defs
+FAIL_DELAY 4
+
+If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010440The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71953SV-86577CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
+
+[daemon]
+AutomaticLoginEnable=falseVerify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command:
+
+# grep -i automaticloginenable /etc/gdm/custom.conf
+AutomaticLoginEnable=false
+
+If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010450The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71955SV-86579CCI-000366Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
+
+[daemon]
+TimedLoginEnable=falseVerify the operating system does not allow an unrestricted logon to the system via a graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command:
+
+# grep -i timedloginenable /etc/gdm/custom.conf
+TimedLoginEnable=false
+
+If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010460The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86581V-71957CCI-000366Configure the operating system to not allow users to override environment variables to the SSH daemon.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no":
+
+PermitUserEnvironment no
+
+The SSH service must be restarted for changes to take effect.Verify the operating system does not allow users to override environment variables to the SSH daemon.
+
+Check for the value of the "PermitUserEnvironment" keyword with the following command:
+
+# grep -i permituserenvironment /etc/ssh/sshd_config
+PermitUserEnvironment no
+
+If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010470The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86583V-71959CCI-000366Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no":
+
+HostbasedAuthentication no
+
+The SSH service must be restarted for changes to take effect.Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.
+
+Check for the value of the "HostbasedAuthentication" keyword with the following command:
+
+# grep -i hostbasedauthentication /etc/ssh/sshd_config
+HostbasedAuthentication no
+
+If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010481The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77823SV-92519CCI-000213Configure the operating system to require authentication upon booting into single-user and maintenance modes.
+
+Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
+
+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"Verify the operating system must require authentication upon booting into single-user and maintenance modes.
+
+Check that the operating system requires authentication upon booting into single-user mode with the following command:
+
+# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin
+
+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+
+If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.
+
+Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+$ sudo grub2-setpassword
+Enter password:
+Confirm password:For systems that use UEFI, this is Not Applicable.
+
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
+
+Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:
+
+$ sudo grep -iw grub2_password /boot/grub2/user.cfg
+GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
+
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
+
+Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+$ sudo grub2-setpassword
+Enter password:
+Confirm password:For systems that use BIOS, this is Not Applicable.
+
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
+
+Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
+
+$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
+GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
+
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+
+1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication;
+
+and
+
+2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+
+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71965SV-86589CCI-000766Configure the operating system to require individuals to be authenticated with a multifactor authenticator.
+
+Enable smartcard logons with the following commands:
+
+# authconfig --enablesmartcard --smartcardaction=0 --update
+# authconfig --enablerequiresmartcard -update
+
+Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line:
+
+#/usr/X11R6/bin/xscreensaver-command -lock
+
+Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.
+
+Check to see if smartcard authentication is enforced on the system:
+
+# authconfig --test | grep "pam_pkcs11 is enabled"
+
+If no results are returned, this is a finding.
+
+# authconfig --test | grep "smartcard removal action"
+
+If "smartcard removal action" is blank, this is a finding.
+
+# authconfig --test | grep "smartcard module"
+
+If any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020000The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.
+
+If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71967SV-86591CCI-000381Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
+
+# yum remove rsh-serverCheck to see if the rsh-server package is installed with the following command:
+
+# yum list installed rsh-server
+
+If the rsh-server package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020010The Red Hat Enterprise Linux operating system must not have the ypserv package installed.<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71969SV-86593CCI-000381Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:
+
+# yum remove ypservThe NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.
+
+Check to see if the "ypserve" package is installed with the following command:
+
+# yum list installed ypserv
+
+If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
+
+Use the following command to map a new user to the "staff_u" SELinux user:
+
+ $ sudo semanage login -a -s staff_u <username>
+
+Use the following command to map an existing user to the "staff_u" SELinux user:
+
+ $ sudo semanage login -m -s staff_u <username>
+
+Use the following command to map a new user to the "user_u" SELinux user:
+
+ $ sudo semanage login -a -s user_u <username>
+
+Use the following command to map an existing user to the "user_u" SELinux user:
+
+ $ sudo semanage login -m -s user_u <username>Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
+
+Get a list of authorized users for the system.
+
+Check the list against the system by using the following command:
+
+ $ sudo semanage login -l | more
+
+ Login Name SELinux User MLS/MCS Range Service
+
+ __default__ user_u s0-s0:c0.c1023 *
+ root unconfined_u s0-s0:c0.c1023 *
+ system_u system_u s0-s0:c0.c1023 *
+ joe staff_u s0-s0:c0.c1023 *
+
+All administrators must be mapped to the , "staff_u", or an appropriately tailored confined SELinux user as defined by the organization.
+
+All authorized non-administrative users must be mapped to the "user_u" SELinux user.
+
+If they are not mapped in this way, this is a finding.
+If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding.
+If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly.
+
+The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:
+
+ # more /etc/cron.daily/aide
+ #!/bin/bash
+
+ /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+Note: Per requirement RHEL-07-020028, the "mailx" package must be installed on the system to enable email functionality.Verify the operating system routinely checks the baseline configuration for unauthorized changes.
+
+Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.
+
+Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.
+
+Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
+
+ # ls -al /etc/cron.* | grep aide
+ -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide
+
+ # grep aide /etc/crontab /var/spool/cron/root
+ /etc/crontab: 30 04 * * * root /usr/sbin/aide --check
+ /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check
+
+If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.
+
+The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.
+
+ # more /etc/cron.daily/aide
+
+ /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+Note: Per requirement RHEL-07-020028, the "mailx" package must be installed on the system to enable email functionality.Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.
+
+Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.
+
+Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.
+
+Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
+
+ # ls -al /etc/cron.* | grep aide
+ -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide
+
+ # grep aide /etc/crontab /var/spool/cron/root
+ /etc/crontab: 30 04 * * * root /usr/sbin/aide --check
+ /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check
+
+AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:
+
+ # more /etc/cron.daily/aide
+ #!/bin/bash
+
+ /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020050The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71977SV-86601CCI-001749Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file:
+
+gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
+
+Check that yum verifies the signature of packages from a repository prior to install with the following command:
+
+# grep gpgcheck /etc/yum.conf
+gpgcheck=1
+
+If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
+
+If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71979SV-86603CCI-001749Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file:
+
+localpkg_gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
+
+Check that yum verifies the signature of local packages prior to install with the following command:
+
+# grep localpkg_gpgcheck /etc/yum.conf
+localpkg_gpgcheck=1
+
+If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified.
+
+If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86607V-71983CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to use the USB Storage kernel module.
+
+Create a file under "/etc/modprobe.d" with the following command:
+
+ # touch /etc/modprobe.d/usb-storage.conf
+
+Add the following line to the created file:
+
+ install usb-storage /bin/false
+
+Configure the operating system to disable the ability to use USB mass storage devices.
+
+ # vi /etc/modprobe.d/blacklist.conf
+
+Add or update the line:
+
+ blacklist usb-storageVerify the operating system disables the ability to load the USB Storage kernel module.
+
+ # grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#"
+ install usb-storage /bin/false
+
+If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+
+Verify the operating system disables the ability to use USB mass storage devices.
+
+Check to see if USB mass storage is disabled with the following command:
+
+ # grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
+ blacklist usb-storage
+
+If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-07-020101The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77821SV-92517CCI-001958Configure the operating system to disable the ability to use the DCCP kernel module.
+
+Create a file under "/etc/modprobe.d" with the following command:
+
+ # touch /etc/modprobe.d/dccp.conf
+
+Add the following line to the created file:
+
+ install dccp /bin/false
+
+Ensure that the DCCP module is blacklisted:
+
+ # vi /etc/modprobe.d/blacklist.conf
+
+Add or update the line:
+
+ blacklist dccpVerify the operating system disables the ability to load the DCCP kernel module.
+
+ # grep -r dccp /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#"
+ install dccp /bin/false
+
+If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+
+Verify the operating system disables the ability to use the DCCP kernel module.
+
+Check to see if the DCCP kernel module is disabled with the following command:
+
+ # grep -i dccp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
+ blacklist dccp
+
+If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020110The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71985SV-86609CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to automount devices.
+
+Turn off the automount service with the following commands:
+
+# systemctl stop autofs
+# systemctl disable autofs
+
+If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the operating system disables the ability to automount devices.
+
+Check to see if automounter service is active with the following command:
+
+# systemctl status autofs
+autofs.service - Automounts filesystems on demand
+ Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
+ Active: inactive (dead)
+
+If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-07-020200The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71987SV-86611CCI-002617Configure the operating system to remove all software components after updated versions have been installed.
+
+Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file:
+
+clean_requirements_on_remove=1Verify the operating system removes all software components after updated versions have been installed.
+
+Check if yum is configured to remove unneeded packages with the following command:
+
+# grep -i clean_requirements_on_remove /etc/yum.conf
+clean_requirements_on_remove=1
+
+If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020210The Red Hat Enterprise Linux operating system must enable SELinux.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71989SV-86613CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions.
+
+Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:
+
+ SELINUX=enforcing
+
+A reboot is required for the changes to take effect.Verify the operating system verifies correct operation of all security functions.
+
+Check if "SELinux" is active and in "Enforcing" mode with the following command:
+
+ # getenforce
+ Enforcing
+
+If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020220The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71991SV-86615CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions.
+
+Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:
+
+ SELINUXTYPE=targeted
+
+A reboot is required for the changes to take effect.Verify the operating system verifies correct operation of all security functions.
+
+Check if "SELinux" is active and is enforcing the targeted policy with the following command:
+
+ # sestatus
+ SELinux status: enabled
+ SELinuxfs mount: /selinux
+ SELinux root directory: /etc/selinux
+ Loaded policy name: targeted
+ Current mode: enforcing
+ Mode from config file: enforcing
+ Policy MLS status: enabled
+ Policy deny_unknown status: allowed
+ Max kernel policy version: 28
+
+If the "Loaded policy name" is not set to "targeted", this is a finding.
+
+Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted":
+
+ # grep -i "selinuxtype" /etc/selinux/config | grep -v '^#'
+ SELINUXTYPE = targeted
+
+If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020230The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86617V-71993CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:
+
+ # systemctl disable ctrl-alt-del.target
+
+ # systemctl mask ctrl-alt-del.targetVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+
+Check that the ctrl-alt-del.target is masked and not active with the following command:
+
+ # systemctl status ctrl-alt-del.target
+
+ ctrl-alt-del.target
+ Loaded: masked (/dev/null; bad)
+ Active: inactive (dead)
+
+If the ctrl-alt-del.target is not masked, this is a finding.
+
+If the ctrl-alt-del.target is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020231The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-94843SV-104673CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:
+
+# touch /etc/dconf/db/local.d/00-disable-CAD
+
+Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
+
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+
+Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:
+
+# grep logout /etc/dconf/db/local.d/*
+
+logout=''
+
+If "logout" is not set to use two single quotations, or is missing, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>RHEL-07-020240The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86619V-71995CCI-000366Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":
+
+UMASK 077Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+
+Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:
+
+Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.
+
+# grep -i umask /etc/login.defs
+UMASK 077
+
+If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020250The Red Hat Enterprise Linux operating system must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86621V-71997CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported.
+
+Check the version of the operating system with the following command:
+
+# cat /etc/redhat-release
+
+Red Hat Enterprise Linux Server release 7.9 (Maipo)
+
+Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.
+
+If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
+
+Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.
+
+Check that the available package security updates have been installed on the system with the following command:
+
+# yum history list | more
+Loaded plugins: langpacks, product-id, subscription-manager
+ID | Command line | Date and time | Action(s) | Altered
+-------------------------------------------------------------------------------
+ 70 | install aide | 2016-05-05 10:58 | Install | 1
+ 69 | update -y | 2016-05-04 14:34 | Update | 18 EE
+ 68 | install vlc | 2016-04-21 17:12 | Install | 21
+ 67 | update -y | 2016-04-21 17:04 | Update | 7 EE
+ 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE
+
+If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.
+
+Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
+
+If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account.
+
+Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions.
+
+Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account.
+
+Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
+
+Check the system accounts on the system with the following command:
+
+# more /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+games:x:12:100:games:/usr/games:/sbin/nologin
+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+
+Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions.
+
+If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-020300The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72003SV-86627CCI-000764Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.
+
+Check that all referenced GIDs exist with the following command:
+
+# pwck -r
+
+If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0".
+
+If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command:
+
+# awk -F: '$3 == 0 {print $1}' /etc/passwd
+
+If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020320The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86631V-72007CCI-002165Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
+
+# chown <user> <file>Verify all files and directories on the system have a valid owner.
+
+Check the owner of all files and directories with the following command:
+
+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
+
+# find / -fstype xfs -nouser
+
+If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020330The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72009SV-86633CCI-002165Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
+
+# chgrp <group> <file>Verify all files and directories on the system have a valid group.
+
+Check the owner of all files and directories with the following command:
+
+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
+
+# find / -fstype xfs -nogroup
+
+If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020610The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72013SV-86637CCI-000366Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
+
+CREATE_HOME yesVerify all local interactive users on the system are assigned a home directory upon creation.
+
+Check to see if the system is configured to create home directories for local interactive users with the following command:
+
+# grep -i create_home /etc/login.defs
+CREATE_HOME yes
+
+If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020620The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
+
+In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72015SV-86639CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd".
+
+# mkdir /home/smithj
+# chown smithj /home/smithj
+# chgrp users /home/smithj
+# chmod 0750 /home/smithjVerify local interactive users on the system have a home directory assigned and the directory exists.
+
+Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
+
+# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+
+smithj 1001 /home/smithj
+
+Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+Check that all referenced home directories exist with the following command:
+
+# pwck -r
+user 'smithj': directory '/home/smithj' does not exist
+
+If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020630The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86641V-72017CCI-000366Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user "smithj".
+
+# chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
+
+Check the home directory assignment for all non-privileged users on the system with the following command:
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
+
+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020640The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.<VulnDiscussion>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86643V-72019CCI-000366Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
+
+# chown smithj /home/smithjVerify the assigned home directory of all local interactive users on the system exists.
+
+Check the home directory assignment for all local interactive users on the system with the following command:
+
+# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+
+-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
+
+If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
+
+ # chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
+
+Check the home directory assignment for all local interactive users on the system with the following command:
+
+ # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+ -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj
+
+Check the user's primary group with the following command:
+
+ # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group
+ users:x:250:smithj,marinc,chongt
+
+If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 7 with the "chown" command:
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
+
+$ sudo chown smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user's home directory have a valid owner.
+
+Check the owner of all files and directories in a local interactive user's home directory with the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
+
+$ sudo ls -lLR /home/smithj
+-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1
+-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2
+-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3
+
+If any files or directories are found without an owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020670The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72025SV-86649CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
+
+# chgrp users /home/smithj/<file>Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.
+
+Check the group owner of all files and directories in a local interactive user's home directory with the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
+
+# ls -lLR /<home directory>/<users home directory>/
+-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1
+-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2
+-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3
+
+If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:
+
+# grep smithj /etc/group
+sa:x:100:juan,shelley,bob,smithj
+smithj:x:521:smithj
+
+If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020680The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.<VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72027SV-86651CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command:
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
+
+# chmod 0750 /home/smithj/<file>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".
+
+Check the mode of all non-initialization files in a local interactive user home directory with the following command:
+
+Files that begin with a "." are excluded from this requirement.
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
+
+# ls -lLR /home/smithj
+-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1
+-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2
+-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3
+
+If any files are found with a mode more permissive than "0750", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020690The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72029SV-86653CCI-000366Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:
+
+Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+ # chown smithj /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are owned by that user.
+
+Check the home directory assignment for all nonprivileged users on the system with the following command:
+
+Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+ # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+
+ smithj 1000 /home/smithj
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+Check the owner of all local interactive users' initialization files with the following command:
+
+ # ls -al /home/smithj/.[^.]* | more
+
+ -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history
+ -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout
+ -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile
+
+If all local interactive users' initialization files are not owned by that user or root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020700The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.<VulnDiscussion>Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72031SV-86655CCI-000366Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and has a primary group of users.
+
+ # chgrp users /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).
+
+Check the home directory assignment for all nonprivileged users on the system with the following command:
+
+Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".
+
+ # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd
+
+ smithj 1000 /home/smithj
+
+ # grep 1000 /etc/group
+
+ users:x:1000:smithj,jonesj,jacksons
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+Check the group owner of all local interactive users' initialization files with the following command:
+
+ # ls -al /home/smithj/.[^.]* | more
+
+ -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history
+ -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout
+ -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile
+
+If all local interactive users' initialization files are not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020710The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86657V-72033CCI-000366Set the mode of the local initialization files to "0740" with the following command:
+
+Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
+
+ # chmod 0740 /home/smithj/.[^.]*Verify that all local initialization files have a mode of "0740" or less permissive.
+
+Check the mode on all local initialization files with the following command:
+
+Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
+
+ # ls -al /home/smithj/.[^.]* | more
+
+ -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history
+ -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout
+ -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile
+
+If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory.
+
+If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the user's home directory.
+
+Check the executable search path statement for all local interactive user initialization files in the user's home directory with the following commands:
+
+Note: The example will be for the smithj user, which has a home directory of "/home/smithj".
+
+# grep -i path= /home/smithj/.*
+/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
+
+If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020730The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86661V-72037CCI-000366Set the mode on files being executed by the local initialization files with the following command:
+
+# chmod 0755 <file>Verify that local initialization files do not execute world-writable programs.
+
+Check the system for world-writable files with the following command:
+
+# find / -xdev -perm -002 -type f -exec ls -ld {} \; | more
+
+For all files listed, check for their presence in the local initialization files with the following commands:
+
+Note: The example will be for a system that is configured to create users' home directories in the "/home" directory.
+
+# grep <file> /home/*/.*
+
+If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file:
+
+# rpm -qf <filename>
+
+The package can be reinstalled from a yum repository using the command:
+
+# sudo yum reinstall <packagename>
+
+Alternatively, the package can be reinstalled from trusted media using the command:
+
+# sudo rpm -Uvh <packagename>Verify that all system device files are correctly labeled to prevent unauthorized modification.
+
+List all device files on the system that are incorrectly labeled with the following commands:
+
+Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.
+
+#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+
+#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+
+Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.
+
+If there is output from either of these commands, other than already noted, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021000The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86665V-72041CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.Verify file systems that contain user home directories are mounted with the "nosuid" option.
+
+Find the file system(s) that contain the user home directories with the following command:
+
+Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
+
+# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+smithj 1001 /home/smithj
+thomasr 1002 /home/thomasr
+
+Check the file systems that are mounted at boot time with the following command:
+
+# more /etc/fstab
+
+UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2
+
+If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021010The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86667V-72043CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.Verify file systems that are used for removable media are mounted with the "nosuid" option.
+
+Check the file systems that are mounted at boot time with the following command:
+
+# more /etc/fstab
+
+UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0
+
+If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021020The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86669V-72045CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "nosuid" option.
+
+Find the file system(s) that contain the directories being exported with the following command:
+
+# more /etc/fstab | grep nfs
+
+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0
+
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
+
+Verify the NFS is mounted with the "nosuid" option:
+
+# mount | grep nfs | grep nosuid
+If no results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021021The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87813V-73161CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "noexec" option.
+
+Find the file system(s) that contain the directories being imported with the following command:
+
+# more /etc/fstab | grep nfs
+
+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0
+
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+
+Verify the NFS is mounted with the "noexec"option:
+
+# mount | grep nfs | grep noexec
+If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-07-021024The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
+
+The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
+
+The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95725V-81013CCI-001764Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
+
+tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
+
+# cat /etc/fstab | grep /dev/shm
+
+tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
+
+If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding.
+
+Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
+
+# mount | grep /dev/shm
+
+tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
+
+If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
+
+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]:
+
+# find [PART] -xdev -type d -perm -0002 -gid +999 -print
+
+If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files.
+
+If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077".
+
+Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.
+
+Check all local interactive user initialization files for interactive users with the following command:
+
+Note: The example is for a system that is configured to create users home directories in the "/home" directory.
+
+$ sudo grep -ir ^umask /home | grep -v '.bash_history'
+
+If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021100The Red Hat Enterprise Linux operating system must have cron logging implemented.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72051SV-86675CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
+
+cron.* /var/log/cron
+
+The rsyslog daemon must be restarted for the changes to take effect:
+$ sudo systemctl restart rsyslog.serviceVerify that "rsyslog" is configured to log cron events.
+
+Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command:
+
+Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
+
+# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+cron.* /var/log/cron
+
+If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
+
+Look for the following entry:
+
+*.* /var/log/messages
+
+If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021110The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.<VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72053SV-86677CCI-000366Set the owner on the "/etc/cron.allow" file to root with the following command:
+
+# chown root /etc/cron.allowVerify that the "cron.allow" file is owned by root.
+
+Check the owner of the "cron.allow" file with the following command:
+
+# ls -al /etc/cron.allow
+-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow
+
+If the "cron.allow" file exists and has an owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021120The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.<VulnDiscussion>If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86679V-72055CCI-000366Set the group owner on the "/etc/cron.allow" file to root with the following command:
+
+# chgrp root /etc/cron.allowVerify that the "cron.allow" file is group-owned by root.
+
+Check the group owner of the "cron.allow" file with the following command:
+
+# ls -al /etc/cron.allow
+-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow
+
+If the "cron.allow" file exists and has a group owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021300The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86681V-72057CCI-000366If kernel core dumps are not required, disable the "kdump" service with the following command:
+
+# systemctl disable kdump.service
+
+If kernel core dumps are required, document the need with the ISSO.Verify that kernel core dumps are disabled unless needed.
+
+Check the status of the "kdump" service with the following command:
+
+# systemctl status kdump.service
+kdump.service - Crash recovery kernel arming
+ Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)
+ Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago
+ Main PID: 1130 (code=exited, status=0/SUCCESS)
+kernel arming.
+
+If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
+
+If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021310The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86683V-72059CCI-000366Migrate the "/home" directory onto a separate file system/partition.Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.
+
+Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system with the following command:
+
+# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd
+
+adamsj 1000 /home/adamsj /bin/bash
+jacksonm 1001 /home/jacksonm /bin/bash
+smithj 1002 /home/smithj /bin/bash
+
+The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.
+
+Check that a file system/partition has been created for the non-privileged interactive users with the following command:
+
+Note: The partition of /home is used in the example.
+
+# grep /home /etc/fstab
+UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2
+
+If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021320The Red Hat Enterprise Linux operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72061SV-86685CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var".
+
+Check that a file system/partition has been created for "/var" with the following command:
+
+# grep /var /etc/fstab
+UUID=c274f65f /var ext4 noatime,nobarrier 1 2
+
+If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021330The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86687V-72063CCI-000366Migrate the system audit data path onto a separate file system.Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.
+
+# grep /var/log/audit /etc/fstab
+
+If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding.
+
+Verify that "/var/log/audit" is mounted on a separate file system:
+
+# mount | grep "/var/log/audit"
+
+If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021340The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86689V-72065CCI-000366Start the "tmp.mount" service with the following command:
+
+# systemctl enable tmp.mount
+
+OR
+
+Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.Verify that a separate file system/partition has been created for "/tmp".
+
+Check that a file system/partition has been created for "/tmp" with the following command:
+
+# systemctl is-enabled tmp.mount
+enabled
+
+If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point:
+
+# grep -i /tmp /etc/fstab
+UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0
+
+If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-000068CCI-001199CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
+
+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
+
+Configure the operating system to implement DoD-approved encryption by following the steps below:
+
+The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.
+
+Install the dracut-fips package with the following command:
+
+# yum install dracut-fips
+
+Recreate the "initramfs" file with the following command:
+
+Note: This command will overwrite the existing "initramfs" file.
+
+# dracut -f
+
+Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file:
+
+fips=1
+
+Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows:
+
+On BIOS-based machines, use the following command:
+
+# grub2-mkconfig -o /boot/grub2/grub.cfg
+
+On UEFI-based machines, use the following command:
+
+# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
+
+If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
+
+# df /boot
+Filesystem 1K-blocks Used Available Use% Mounted on
+/dev/sda1 495844 53780 416464 12% /boot
+
+To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:
+
+# blkid /dev/sda1
+/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4"
+
+For the example above, append the following string to the kernel command line:
+
+boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797
+
+If the file /etc/system-fips does not exists, recreate it:
+
+# touch /etc/ system-fips
+
+Reboot the system for the changes to take effect.Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.
+
+Check to see if the "dracut-fips" package is installed with the following command:
+
+# yum list installed dracut-fips
+
+dracut-fips-033-360.el7_2.x86_64.rpm
+
+If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
+
+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
+
+# grep fips /boot/grub2/grub.cfg
+/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
+
+If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:
+
+# cat /proc/sys/crypto/fips_enabled
+1
+
+If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
+
+Verify the file /etc/system-fips exists.
+
+# ls -l /etc/system-fips
+
+If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs.
+
+If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs.
+
+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
+
+Use the following command to determine if the file is in another location:
+
+ # find / -name aide.conf
+
+Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists.
+
+An example rule that includes the "acl" rule is below:
+
+ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin
+ /sbin All # apply the same custom rule to the files in sbin
+
+If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes.
+
+If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes.
+
+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
+
+Use the following command to determine if the file is in another location:
+ # find / -name aide.conf
+
+Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.
+
+An example rule that includes the "xattrs" rule follows:
+
+ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin
+ /sbin All # apply the same custom rule to the files in sbin
+
+If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
+
+Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents.
+
+If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories.
+
+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
+
+Use the following command to determine if the file is in another location:
+
+ # find / -name aide.conf
+
+Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.
+
+An example rule that includes the "sha512" rule follows:
+
+ All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin
+ /sbin All # apply the same custom rule to the files in sbin
+
+If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media.
+
+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
+
+Check for the existence of alternate boot loader configuration files with the following command:
+
+ # find / -name grub.cfg
+ /boot/efi/EFI/redhat/grub.cfg
+
+If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.
+
+List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems):
+
+ # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg
+ 4
+
+Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored):
+
+ # grep 'set root' /boot/efi/EFI/redhat/grub.cfg
+ set root='hd0,gpt2'
+ set root='hd0,gpt2'
+ set root='hd0,gpt2'
+ set root='hd0,gpt2'
+
+If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-021710The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+
+Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72077SV-86701CCI-000381Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:
+
+# yum remove telnet-serverVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.
+
+The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.
+
+If a privileged user were to log on using this service, the privileged user password could be compromised.
+
+Check to see if the telnet-server package is installed with the following command:
+
+# yum list installed telnet-server
+
+If the telnet-server package is installed, this is a finding.SRG-OS-000038-GPOS-00016<GroupDescription></GroupDescription>RHEL-07-030000The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.<VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+
+Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86703V-72079CCI-000126CCI-000131Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
+
+Enable the auditd service with the following command:
+
+# systemctl start auditd.serviceVerify the operating system produces audit records containing information to establish when (date and time) the events occurred.
+
+Check to see if auditing is active by issuing the following command:
+
+# systemctl is-active auditd.service
+active
+
+If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>RHEL-07-030010The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
+
+Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72081SV-86705CCI-000139Configure the operating system to shut down in the event of an audit processing failure.
+
+Add or correct the option to shut down the operating system with the following command:
+
+ # auditctl -f 2
+
+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
+
+ -f 2
+
+If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
+
+ # auditctl -f 1
+
+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
+
+ -f 1
+
+Kernel log monitoring must also be configured to properly alert designated staff.
+
+The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled.
+
+Check to see what level "auditctl" is set to with following command:
+
+ # auditctl -s | grep -i "fail"
+ failure 2
+
+Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert.
+
+If the "failure" setting is set to any value other than "1" or "2", this is a finding.
+
+If the "failure" setting is not set, this should be upgraded to a CAT I finding.
+
+If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030201The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95729V-81017CCI-001851Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:
+
+active = yes
+direction = out
+path = /sbin/audisp-remote
+type = always
+
+The audit daemon must be restarted for changes to take effect:
+
+# service auditd restartVerify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:
+
+# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#"
+
+active = yes
+direction = out
+path = /sbin/audisp-remote
+type = always
+format = string
+
+If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
+
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030210The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When the remote buffer is full, audit logs will not be collected and sent to the central log server.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-81019SV-95731CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:
+
+overflow_action = syslog
+
+The audit daemon must be restarted for changes to take effect:
+
+# service auditd restartVerify the audisp daemon is configured to take an appropriate action when the internal queue is full:
+
+# grep "overflow_action" /etc/audisp/audispd.conf
+
+overflow_action = syslog
+
+If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full.
+
+If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030211The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95733V-81021CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:
+
+name_format = hostname
+
+The audit daemon must be restarted for changes to take effect:
+
+# service auditd restartVerify the audisp daemon is configured to label all off-loaded audit logs:
+
+# grep "name_format" /etc/audisp/audispd.conf
+
+name_format = hostname
+
+If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately.
+
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030300The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72083SV-86707CCI-001851Configure the operating system to off-load audit records onto a different system or media from the system being audited.
+
+Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.Verify the operating system off-loads audit records onto a different system or media from the system being audited.
+
+To determine the remote server that the records are being sent to, use the following command:
+
+# grep -i remote_server /etc/audisp/audisp-remote.conf
+remote_server = 10.0.21.1
+
+If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
+
+If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72085SV-86709CCI-001851Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.
+
+Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:
+
+enable_krb5 = yesVerify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.
+
+To determine if the transfer is encrypted, use the following command:
+
+# grep -i enable_krb5 /etc/audisp/audisp-remote.conf
+enable_krb5 = yes
+
+If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
+
+If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full.
+
+Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
+
+disk_full_action = singleVerify the action the operating system takes if the disk the audit records are written to becomes full.
+
+To determine the action that takes place if the disk is full on the remote server, use the following command:
+
+# grep -i disk_full_action /etc/audisp/audisp-remote.conf
+disk_full_action = single
+
+If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server.
+
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030321The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73163SV-87815CCI-001851Configure the action the operating system takes if there is an error sending audit records to a remote system.
+
+Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".
+
+network_failure_action = syslogVerify the action the operating system takes if there is an error sending audit records to a remote system.
+
+Check the action that takes place if there is an error sending audit records to a remote system with the following command:
+
+# grep -i network_failure_action /etc/audisp/audisp-remote.conf
+network_failure_action = syslog
+
+If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system.
+
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+
+Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
+space_left = 25%
+Reload the auditd daemon to apply changes made to the "/etc/audit/auditd.conf" file.Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+
+Check the system configuration to determine the partition the audit records are being written to with the following command:
+
+$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
+
+$ sudo grep -iw space_left /etc/audit/auditd.conf
+space_left = 25%
+
+If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
+
+Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email".
+
+space_left_action = emailVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+
+Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:
+
+# grep -i space_left_action /etc/audit/auditd.conf
+space_left_action = email
+
+If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
+
+Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel.
+
+action_mail_acct = rootVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
+
+Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:
+
+# grep -i action_mail_acct /etc/audit/auditd.conf
+action_mail_acct = root
+
+If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>RHEL-07-030360The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72095SV-86719CCI-002234Configure the operating system to audit the execution of privileged functions.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system audits the execution of privileged functions using the following command:
+
+# grep -iw execve /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+
+
+If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
+
+If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" syscalls.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
+
+# grep chown /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following command:
+
+# grep chmod /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
+
+# grep xattr /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
+
+# grep 'open\|truncate\|creat' /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+
+If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding.
+
+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+
+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86759V-72135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/semanage" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030570The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72137SV-86761CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/setsebool" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030580The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72139SV-86763CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/bin/chcon" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030590The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72141SV-86765CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/setfiles" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030610The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /var/run/faillock -p wa -k logins
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following commands:
+
+# grep -i /var/run/faillock /etc/audit/audit.rules
+
+-w /var/run/faillock -p wa -k logins
+
+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030620The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/lastlog -p wa -k logins
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
+
+# grep -i /var/log/lastlog /etc/audit/audit.rules
+
+-w /var/log/lastlog -p wa -k logins
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/bin/passwd" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030640The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86775V-72151CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/unix_chkpwd" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030650The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/bin/gpasswd" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030660The Red Hat Enterprise Linux operating system must audit all uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86779V-72155CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/bin/chage" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030670The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
+
+Check the file system rule in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/userhelper" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
+
+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030680The Red Hat Enterprise Linux operating system must audit all uses of the su command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030690The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030700The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72163SV-86787CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/sudoers -p wa -k privileged-actions
+
+-w /etc/sudoers.d/ -p wa -k privileged-actions
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
+
+Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules":
+
+# grep -i "/etc/sudoers" /etc/audit/audit.rules
+
+-w /etc/sudoers -p wa -k privileged-actions
+
+# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules
+
+-w /etc/sudoers.d/ -p wa -k privileged-actions
+
+If the commands do not return output that match the examples, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030710The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030720The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030740The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72171SV-86795CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
+
+Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "mount" /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
+
+If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030750The Red Hat Enterprise Linux operating system must audit all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
+
+Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030770The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030780The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
+
+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030800The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur.
+
+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
+
+$ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron
+
+If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam
+
+If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78999SV-93705CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change
+
+-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "create_module" /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change
+
+-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change
+
+If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange
+
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep init_module /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange
+
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange
+
+If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change
+
+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep -w "delete_module" /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change
+
+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change
+
+If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+$ sudo grep "/usr/bin/kmod" /etc/audit/audit.rules
+
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules
+
+If the command does not return any output, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030870The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86821V-72197CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
+
+Add or update the following rule "/etc/audit/rules.d/audit.rules":
+
+-w /etc/passwd -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+# grep /etc/passwd /etc/audit/audit.rules
+
+-w /etc/passwd -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030871The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87817V-73165CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/group -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+# grep /etc/group /etc/audit/audit.rules
+
+-w /etc/group -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030872The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87819V-73167CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/gshadow -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+# grep /etc/gshadow /etc/audit/audit.rules
+
+-w /etc/gshadow -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030873The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87823V-73171CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+
+Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/shadow -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+# grep /etc/shadow /etc/audit/audit.rules
+
+-w /etc/shadow -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030874The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87825V-73173CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
+
+Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/security/opasswd -p wa -k identity
+
+The audit daemon must be restarted for the changes to take effect:
+# systemctl restart auditdVerify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
+
+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+
+# grep /etc/security/opasswd /etc/audit/audit.rules
+
+-w /etc/security/opasswd -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+
+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls.
+
+Add the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
+
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
+
+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls.
+
+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
+
+# grep 'unlink\|rename\|rmdir' /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
+
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
+
+If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation server:
+
+For UDP:
+ *.* @[logaggregationserver.example.mil]:[port]
+
+For TCP:
+ *.* @@[logaggregationserver.example.mil]:[port]Verify "rsyslog" is configured to send all messages to a log aggregation server.
+
+Check the configuration of "rsyslog" with the following command:
+
+Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf".
+
+ # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+
+ *.* @@[logaggregationserver.example.mil]:[port]
+
+If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.
+
+If the lines are commented out or there is no evidence that the audit logs are being sent to another log aggregation server, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
+
+If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86835V-72211CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
+
+Check the configuration of "rsyslog" with the following command:
+
+# grep imtcp /etc/rsyslog.conf
+$ModLoad imtcp
+# grep imudp /etc/rsyslog.conf
+$ModLoad imudp
+# grep imrelp /etc/rsyslog.conf
+$ModLoad imrelp
+
+If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.
+
+If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>RHEL-07-040000The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72217SV-86841CCI-000054Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types.
+
+Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ :
+
+* hard maxlogins 10Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command:
+
+# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf
+
+* hard maxlogins 10
+
+This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
+
+If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>RHEL-07-040100The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+
+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
+
+To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72219SV-86843CCI-000382CCI-002314Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.
+
+Check which services are currently active with the following command:
+
+# firewall-cmd --list-all
+public (default, active)
+ interfaces: enp0s3
+ sources:
+ services: dhcpv6-client dns http https ldaps rpc-bind ssh
+ ports:
+ masquerade: no
+ forward-ports:
+ icmp-blocks:
+ rich rules:
+
+Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.
+
+If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
+
+Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
+
+The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.
+
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72221SV-86845CCI-000068CCI-000366CCI-000803Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
+
+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
+
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+The SSH service must be restarted for changes to take effect.Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
+
+The location of the "sshd_config" file may vary if a different daemon is in use.
+
+Inspect the "Ciphers" configuration with the following command:
+
+# grep -i ciphers /etc/ssh/sshd_config
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86847V-72223CCI-001133CCI-002361Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
+
+Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
+
+#!/bin/bash
+
+declare -xr TMOUT=900Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
+
+Check the value of the system inactivity timeout with the following command:
+
+$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d
+
+etc/profile.d/tmout.sh:declare -xr TMOUT=900
+
+If conflicting results are returned, this is a finding.
+If "TMOUT" is not set to "900" or less to enforce session termination after inactivity, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-040170The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72225SV-86849CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
+
+banner /etc/issue
+
+Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+The SSH service must be restarted for changes to take effect.Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
+
+Check for the location of the banner file being used with the following command:
+
+# grep -i banner /etc/ssh/sshd_config
+
+banner /etc/issue
+
+This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").
+
+If the line is commented out, this is a finding.
+
+View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
+
+If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040180The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72227SV-86851CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.
+
+Add or modify the following line in "/etc/sssd/sssd.conf":
+
+ ldap_id_use_start_tls = trueIf LDAP is not being utilized, this requirement is Not Applicable.
+
+Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.
+
+To determine if LDAP is being used for authentication, use the following command:
+
+ # systemctl status sssd.service
+ sssd.service - System Security Services Daemon
+ Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
+ Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
+
+If the "sssd.service" is "active", then LDAP is being used.
+
+Determine the "id_provider" the LDAP is currently using:
+
+ # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ id_provider = ad
+
+If "id_provider" is set to "ad", this is Not Applicable.
+
+Ensure that LDAP is configured to use TLS by using the following command:
+
+ # grep -ir start_tls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ ldap_id_use_start_tls = true
+
+If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040190The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72229SV-86853CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
+
+Add or modify the following line in "/etc/sssd/sssd.conf":
+
+ ldap_tls_reqcert = demandIf LDAP is not being utilized, this requirement is Not Applicable.
+
+Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
+
+To determine if LDAP is being used for authentication, use the following command:
+
+ # systemctl status sssd.service
+ sssd.service - System Security Services Daemon
+ Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
+ Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
+
+If the "sssd.service" is "active", then LDAP is being used.
+
+Determine the "id_provider" the LDAP is currently using:
+
+ # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ id_provider = ad
+
+If "id_provider" is set to "ad", this is Not Applicable.
+
+Verify the sssd service is configured to require the use of certificates:
+
+ # grep -ir tls_reqcert /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ ldap_tls_reqcert = demand
+
+If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.
+
+If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040200The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86855V-72231CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
+
+Add or modify the following line in "/etc/sssd/sssd.conf":
+
+ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crtIf LDAP is not being utilized, this requirement is Not Applicable.
+
+Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
+
+To determine if LDAP is being used for authentication, use the following command:
+
+ # systemctl status sssd.service
+ sssd.service - System Security Services Daemon
+ Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
+ Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
+
+If the "sssd.service" is "active", then LDAP is being used.
+
+Determine the "id_provider" that the LDAP is currently using:
+
+ # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ id_provider = ad
+
+If "id_provider" is set to "ad", this is Not Applicable.
+
+Check the path to the X.509 certificate for peer authentication with the following command:
+
+ # grep -ir tls_cacert /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
+
+Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate.
+
+If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040201The Red Hat Enterprise Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92521V-77825CCI-000366Configure the operating system implement virtual address space randomization.
+
+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ kernel.randomize_va_space = 2
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the operating system implements virtual address space randomization.
+
+ # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ kernel.randomize_va_space = 2
+
+If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of "2", this is a finding.
+
+Check that the operating system implements virtual address space randomization with the following command:
+
+ # /sbin/sysctl -a | grep kernel.randomize_va_space
+ kernel.randomize_va_space = 2
+
+If "kernel.randomize_va_space" does not have a value of "2", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86857V-72233CCI-002418CCI-002420CCI-002421CCI-002422Install SSH packages onto the host with the following commands:
+
+# yum install openssh-server.x86_64Check to see if sshd is installed with the following command:
+
+# yum list installed \*ssh\*
+libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1
+openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1
+openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1
+
+If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86859V-72235CCI-002418CCI-002420CCI-002421CCI-002422Configure the SSH service to automatically start after reboot with the following command:
+
+# systemctl enable sshd.serviceVerify SSH is loaded and active with the following command:
+
+# systemctl status sshd
+sshd.service - OpenSSH server daemon
+Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
+Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago
+Main PID: 1348 (sshd)
+CGroup: /system.slice/sshd.service
+1053 /usr/sbin/sshd -D
+
+If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040320The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72237SV-86861CCI-001133CCI-002361Note: This setting must be applied in conjunction with RHEL-07-040340 to function correctly.
+
+Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.
+
+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+ ClientAliveInterval 600
+
+The SSH service must be restarted for changes to take effect.Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes.
+
+Check for the value of the "ClientAliveInterval" keyword with the following command:
+
+ # grep -iw clientaliveinterval /etc/ssh/sshd_config
+
+ ClientAliveInterval 600
+
+If "ClientAliveInterval" is not configured, is commented out, or has a value of "0", this is a finding.
+
+If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040330The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72239SV-86863CCI-000366Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
+
+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
+
+RhostsRSAAuthentication no
+
+The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command:
+
+# cat /etc/redhat-release
+
+If the release is 7.4 or newer this requirement is Not Applicable.
+
+Verify the SSH daemon does not allow authentication using RSA rhosts authentication.
+
+To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command:
+
+# grep RhostsRSAAuthentication /etc/ssh/sshd_config
+RhostsRSAAuthentication no
+
+If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040340The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86865V-72241CCI-001133CCI-002361Note: This setting must be applied in conjunction with RHEL-07-040320 to function correctly.
+
+Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.
+
+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+ ClientAliveCountMax 0
+
+The SSH service must be restarted for changes to take effect.Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.
+
+Check for the value of the "ClientAliveCountMax" keyword with the following command:
+
+ # grep -i clientalivecount /etc/ssh/sshd_config
+ ClientAliveCountMax 0
+
+If "ClientAliveCountMax" is not set to "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040350The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72243SV-86867CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication.
+
+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
+
+IgnoreRhosts yesVerify the SSH daemon does not allow authentication using known hosts authentication.
+
+To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command:
+
+# grep -i IgnoreRhosts /etc/ssh/sshd_config
+
+IgnoreRhosts yes
+
+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040360The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72245SV-86869CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
+
+Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:
+
+PrintLastLog yes
+
+The SSH service must be restarted for changes to "sshd_config" to take effect.Verify SSH provides users with feedback on when account accesses last occurred.
+
+Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:
+
+# grep -i printlastlog /etc/ssh/sshd_config
+PrintLastLog yes
+
+If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040370The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.<VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72247SV-86871CCI-000366Configure SSH to stop users from logging on remotely as the root user.
+
+Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+PermitRootLogin no
+
+The SSH service must be restarted for changes to take effect.Verify remote access using SSH prevents users from logging on directly as root.
+
+Check that SSH prevents users from logging on directly as root with the following command:
+
+# grep -i permitrootlogin /etc/ssh/sshd_config
+PermitRootLogin no
+
+If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040380The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72249SV-86873CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication.
+
+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
+
+IgnoreUserKnownHosts yes
+
+The SSH service must be restarted for changes to take effect.Verify the SSH daemon does not allow authentication using known hosts authentication.
+
+To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:
+
+# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
+
+IgnoreUserKnownHosts yes
+
+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
+
+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86875V-72251CCI-000197CCI-000366Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
+
+Protocol 2
+
+The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command:
+
+# cat /etc/redhat-release
+
+If the release is 7.4 or newer this requirement is Not Applicable.
+
+Verify the SSH daemon is configured to only use the SSHv2 protocol.
+
+Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:
+
+# grep -i protocol /etc/ssh/sshd_config
+Protocol 2
+#Protocol 1,2
+
+If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
+
+The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+MACs hmac-sha2-512,hmac-sha2-256
+
+The SSH service must be restarted for changes to take effect.Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.
+
+Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
+
+Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command:
+
+# grep -i macs /etc/ssh/sshd_config
+MACs hmac-sha2-512,hmac-sha2-256
+
+If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation.
+
+Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
+
+# chmod 0644 /etc/ssh/*.key.pubVerify the SSH public host key files have mode "0644" or less permissive.
+
+Note: SSH public key files may be found in other directories on the system depending on the installation.
+
+The following command will find all SSH public key files on the system:
+
+# find /etc/ssh -name '*.pub' -exec ls -lL {} \;
+
+-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub
+-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub
+-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub
+
+If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040420The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72257SV-86881CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
+
+# chmod 0640 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode "0640" or less permissive.
+
+The following command will find all SSH private key files on the system and list their modes:
+
+ # find / -name '*ssh_host*key' | xargs ls -lL
+
+ -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key
+ -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key
+ -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key
+
+If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
+
+GSSAPIAuthentication no
+
+The SSH service must be restarted for changes to take effect.
+
+If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit GSSAPI authentication unless approved.
+
+Check that the SSH daemon does not permit GSSAPI authentication with the following command:
+
+# grep -i gssapiauth /etc/ssh/sshd_config
+GSSAPIAuthentication no
+
+If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040440The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72261SV-86885CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
+
+KerberosAuthentication no
+
+The SSH service must be restarted for changes to take effect.
+
+If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.
+
+Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:
+
+# grep -i kerberosauth /etc/ssh/sshd_config
+KerberosAuthentication no
+
+If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040450The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86887V-72263CCI-000366Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
+
+StrictModes yes
+
+The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs strict mode checking of home directory configuration files.
+
+The location of the "sshd_config" file may vary if a different daemon is in use.
+
+Inspect the "sshd_config" file with the following command:
+
+# grep -i strictmodes /etc/ssh/sshd_config
+
+StrictModes yes
+
+If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040460The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.<VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86889V-72265CCI-000366Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":
+
+UsePrivilegeSeparation sandbox
+
+The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs privilege separation.
+
+Check that the SSH daemon performs privilege separation with the following command:
+
+# grep -i usepriv /etc/ssh/sshd_config
+
+UsePrivilegeSeparation sandbox
+
+If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040470The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86891V-72267CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
+
+ Compression no
+
+The SSH service must be restarted for changes to take effect.Note: For RHEL 7.4 and above, this requirement is not applicable.
+
+Verify the SSH daemon performs compression after a user successfully authenticates.
+
+Check that the SSH daemon performs compression after a user successfully authenticates with the following command:
+
+ # grep -i compression /etc/ssh/sshd_config
+ Compression delayed
+
+If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+
+Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
+
+Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "16" as follows:
+
+server 0.rhel.pool.ntp.org iburst maxpoll 16
+
+If NTP was running and "maxpoll" was updated, the NTP service must be restarted:
+
+# systemctl restart ntpd
+
+If NTP was not running, it must be started:
+
+# systemctl start ntpd
+
+If "chronyd" was running and "maxpoll" was updated, the service must be restarted:
+
+# systemctl restart chronyd.service
+
+If "chronyd" was not running, it must be started:
+
+# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode:
+
+# ps -ef | grep ntp
+
+If NTP is not running, check to see if "chronyd" is running in continuous mode:
+
+# ps -ef | grep chronyd
+
+If NTP or "chronyd" is not running, this is a finding.
+
+If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" option setting:
+
+# grep maxpoll /etc/ntp.conf
+
+server 0.rhel.pool.ntp.org iburst maxpoll 16
+
+If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding.
+
+If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command.
+
+# grep -i "ntpd -q" /etc/cron.daily/*
+# ls -al /etc/cron.* | grep ntp
+
+ntp
+
+If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpd -q" command, this is a finding.
+
+If the "chronyd" process is found, then check the "chrony.conf" file for the "maxpoll" option setting:
+
+# grep maxpoll /etc/chrony.conf
+
+server 0.rhel.pool.ntp.org iburst maxpoll 16
+
+If the option is not set or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040520The Red Hat Enterprise Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
+
+Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86897V-72273CCI-000366Ensure the operating system's application firewall is enabled.
+
+Install the "firewalld" package, if it is not on the system, with the following command:
+
+# yum install firewalld
+
+Start the firewall via "systemctl" with the following command:
+
+# systemctl start firewalldVerify the operating system enabled an application firewall.
+
+Check to see if "firewalld" is installed with the following command:
+
+# yum list installed firewalld
+firewalld-0.3.9-11.el7.noarch.rpm
+
+If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed.
+
+If an application firewall is not installed, this is a finding.
+
+Check to see if the firewall is loaded and active with the following command:
+
+# systemctl status firewalld
+firewalld.service - firewalld - dynamic firewall daemon
+
+ Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
+ Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
+
+If "firewalld" does not show a status of "loaded" and "active", this is a finding.
+
+Check the state of the firewall:
+
+# firewall-cmd --state
+running
+
+If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin".
+
+Add the following line to the top of "/etc/pam.d/postlogin":
+
+session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred.
+
+Check that "pam_lastlog" is used and not silent with the following command:
+
+# grep pam_lastlog /etc/pam.d/postlogin
+session required pam_lastlog.so showfailed
+
+If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040540The Red Hat Enterprise Linux operating system must not contain .shosts files.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86901V-72277CCI-000366Remove any found ".shosts" files from the system.
+
+# rm /[path]/[to]/[file]/.shostsVerify there are no ".shosts" files on the system.
+
+Check the system for the existence of these files with the following command:
+
+# find / -name '*.shosts'
+
+If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040550The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86903V-72279CCI-000366Remove any found "shosts.equiv" files from the system.
+
+# rm /[path]/[to]/[file]/shosts.equivVerify there are no "shosts.equiv" files on the system.
+
+Check the system for the existence of these files with the following command:
+
+# find / -name shosts.equiv
+
+If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040600For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86905V-72281CCI-000366Configure the operating system to use two or more name servers for DNS resolution.
+
+Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:
+
+# echo -n > /etc/resolv.conf
+
+And then make the file immutable with the following command:
+
+# chattr +i /etc/resolv.conf
+
+If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.Determine whether the system is using local or DNS name resolution with the following command:
+
+# grep hosts /etc/nsswitch.conf
+hosts: files dns
+
+If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.
+
+Verify the "/etc/resolv.conf" file is empty with the following command:
+
+# ls -al /etc/resolv.conf
+-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
+
+If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.
+
+If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.
+
+Determine the name servers used by the system with the following command:
+
+# grep nameserver /etc/resolv.conf
+nameserver 192.168.1.2
+nameserver 192.168.1.3
+
+If less than two lines are returned that are not commented out, this is a finding.
+
+Verify that the "/etc/resolv.conf" file is immutable with the following command:
+
+# sudo lsattr /etc/resolv.conf
+
+----i----------- /etc/resolv.conf
+
+If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.all.accept_source_route = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl -systemVerify the system does not accept IPv4 source-routed packets.
+
+ # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv4.conf.all.accept_source_route = 0
+
+If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the accept source route variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route
+ net.ipv4.conf.all.accept_source_route = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.all.rp_filter = 1
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system uses a reverse-path filter for IPv4:
+
+ # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv4.conf.all.rp_filter = 1
+
+If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding.
+
+Check that the operating system implements the accept source route variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter
+ net.ipv4.conf.all.rp_filter = 1
+
+If the returned line does not have a value of "1", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.default.rp_filter = 1
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system uses a reverse-path filter for IPv4:
+
+ # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv4.conf.default.rp_filter = 1
+
+If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding.
+
+Check that the operating system implements the accept source route variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
+ net.ipv4.conf.default.rp_filter = 1
+
+If the returned line does not have a value of "1", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.default.accept_source_route = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default.
+
+ # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv4.conf.default.accept_source_route = 0
+
+If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the accept source route variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route
+ net.ipv4.conf.default.accept_source_route = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040630The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72287SV-86911CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.
+
+ # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+
+If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding.
+
+Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts
+ net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+If the returned line does not have a value of "1", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.default.accept_redirects = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages.
+
+ # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+
+If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the value of the "accept_redirects" variables with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects
+ net.ipv4.conf.default.accept_redirects = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.all.accept_redirects = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system ignores IPv4 ICMP redirect messages.
+
+ # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+
+If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the "accept_redirects" variables with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects
+ net.ipv4.conf.all.accept_redirects = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default.
+
+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.default.send_redirects = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default.
+
+ # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+
+If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the "default send_redirects" variables with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects
+ net.ipv4.conf.default.send_redirects = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects.
+
+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.conf.all.send_redirects = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system does not send IPv4 ICMP redirect messages.
+
+ # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+
+If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the "all send_redirects" variables with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects
+ net.ipv4.conf.all.send_redirects = 0
+
+If the returned line does not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040670Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
+
+If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72295SV-86919CCI-000366Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
+
+Set the promiscuous mode of an interface to off with the following command:
+
+#ip link set dev <devicename> multicast off promisc offVerify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.
+
+Check for the status with the following command:
+
+# ip link | grep -i promisc
+
+If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040680The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86921V-72297CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
+
+# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying.
+
+Determine if "postfix" is installed with the following commands:
+
+# yum list installed postfix
+postfix-2.6.6-6.el7.x86_64.rpm
+
+If postfix is not installed, this is Not Applicable.
+
+If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:
+
+# postconf -n smtpd_client_restrictions
+smtpd_client_restrictions = permit_mynetworks, reject
+
+If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040690The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.<VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86923V-72299CCI-000366Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
+
+# yum remove vsftpdVerify an FTP server has not been installed on the system.
+
+Check to see if an FTP server has been installed with the following commands:
+
+# yum list installed vsftpd
+
+ vsftpd-3.0.2.el7.x86_64.rpm
+
+If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040700The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.<VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86925V-72301CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the TFTP package from the system with the following command:
+
+# yum remove tftp-serverVerify a TFTP server has not been installed on the system.
+
+Check to see if a TFTP server has been installed with the following command:
+
+# yum list installed tftp-server
+tftp-server-0.49-9.el7.x86_64.rpm
+
+If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040710The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.
+X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.
+If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86927V-72303CCI-000366Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+X11Forwarding no
+
+The SSH service must be restarted for changes to take effect:
+
+# systemctl restart sshdDetermine if X11Forwarding is disabled with the following command:
+
+# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"
+
+X11Forwarding no
+
+If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040720The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.<VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86929V-72305CCI-000366Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):
+
+server_args = -s /var/lib/tftpbootVerify the TFTP daemon is configured to operate in secure mode.
+
+Check to see if a TFTP server has been installed with the following commands:
+
+# yum list installed tftp-server
+tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms
+
+If a TFTP server is not installed, this is Not Applicable.
+
+If a TFTP server is installed, check for the server arguments with the following command:
+
+# grep server_args /etc/xinetd.d/tftp
+server_args = -s /var/lib/tftpboot
+
+If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040730The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86931V-72307CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
+
+Open an SSH session and enter the following commands:
+
+$ sudo systemctl set-default multi-user.target
+
+$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
+
+A reboot is required for the changes to take effect.Verify the system is configured to boot to the command line:
+
+$ systemctl get-default
+multi-user.target
+
+If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.
+
+Verify a graphical user interface is not installed:
+
+$ rpm -qa | grep xorg | grep server
+
+Ask the System Administrator if use of a graphical user interface is an operational requirement.
+
+If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.
+SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040740The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86933V-72309CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv4.ip_forward = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router.
+
+ # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv4.ip_forward = 0
+
+If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding.
+
+Check that the operating system does not implement IP forwarding using the following command:
+
+ # /sbin/sysctl -a | grep net.ipv4.ip_forward
+ net.ipv4.ip_forward = 0
+
+If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting.
+
+Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts.
+
+To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command:
+
+# cat /etc/fstab | grep nfs
+192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
+
+If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040800SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.<VulnDiscussion>Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86937V-72313CCI-000366If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.Verify that a system using SNMP is not using default community strings.
+
+Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command:
+
+# ls -al /etc/snmp/snmpd.conf
+ -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf
+
+If the file does not exist, this is Not Applicable.
+
+If the file does exist, check for the default community strings with the following commands:
+
+# grep public /etc/snmp/snmpd.conf
+# grep private /etc/snmp/snmpd.conf
+
+If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts.
+
+If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding.
+
+Verify the system's access control program is configured to grant or deny system access to specific hosts.
+
+Check to see if "firewalld" is active with the following command:
+
+# systemctl status firewalld
+firewalld.service - firewalld - dynamic firewall daemon
+Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
+Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
+
+If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:
+
+# firewall-cmd --get-default-zone
+public
+
+# firewall-cmd --list-all --zone=public
+public (active)
+target: default
+icmp-block-inversion: no
+interfaces: eth0
+sources:
+services: mdns ssh
+ports:
+protocols:
+masquerade: no
+forward-ports:
+icmp-blocks:
+
+If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
+
+# ls -al /etc/hosts.allow
+rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
+
+# ls -al /etc/hosts.deny
+-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny
+
+If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.
+
+If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040820The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.<VulnDiscussion>IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72317SV-86941CCI-000366Remove all unapproved tunnels from the system, or document them with the ISSO.Verify the system does not have unauthorized IP tunnels configured.
+
+Check to see if "libreswan" is installed with the following command:
+
+# yum list installed libreswan
+libreswan.x86-64 3.20-5.el7_4
+
+If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:
+
+# systemctl status ipsec
+ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
+Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
+Active: inactive (dead)
+
+If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands:
+
+# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf
+
+If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO.
+
+If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+
+ net.ipv6.conf.all.accept_source_route = 0
+
+Issue the following command to make the changes take effect:
+
+ # sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable.
+
+Verify the system does not accept IPv6 source-routed packets.
+
+ # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ net.ipv6.conf.all.accept_source_route = 0
+
+If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding.
+
+Check that the operating system implements the accept source route variable with the following command:
+
+ # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route
+ net.ipv6.conf.all.accept_source_route = 0
+
+If the returned lines do not have a value of "0", this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041001The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87041V-72417CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication by installing the required packages.
+
+Install the pam_pkcs11 package with the following command:
+
+# yum install pam_pkcs11Verify the operating system has the packages required for multifactor authentication installed.
+
+Check for the presence of the packages required to support multifactor authentication with the following commands:
+
+# yum list installed pam_pkcs11
+pam_pkcs11-0.6.2-14.el7.noarch.rpm
+
+If the "pam_pkcs11" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041002The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72427SV-87051CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
+
+Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
+
+Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command:
+
+# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
+
+services = nss, pam
+
+If the "pam" service is not present on all "services" lines, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041003The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72433SV-87057CCI-001948CCI-001953CCI-001954Configure the operating system to do certificate status checking for PKI authentication.
+
+Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".Verify the operating system implements certificate status checking for PKI authentication.
+
+Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:
+
+# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v "^#"
+
+cert_policy = ca, ocsp_on, signature;
+cert_policy = ca, ocsp_on, signature;
+cert_policy = ca, ocsp_on, signature;
+
+There should be at least three lines returned.
+
+If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command:
+
+#nmcli radio wifi offVerify that there are no wireless interfaces configured on the system.
+
+This is N/A for systems that do not have wireless network adapters.
+
+Check for the presence of active wireless interfaces with the following command:
+
+# nmcli device
+DEVICE TYPE STATE
+eth0 ethernet connected
+wlp3s0 wifi disconnected
+lo loopback unmanaged
+
+If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010020The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.<VulnDiscussion>Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86479V-71855CCI-001749Run the following command to determine which package owns the file:
+
+# rpm -qf <filename>
+
+The package can be reinstalled from a yum repository using the command:
+
+# sudo yum reinstall <packagename>
+
+Alternatively, the package can be reinstalled from trusted media using the command:
+
+# sudo rpm -Uvh <packagename>Verify the cryptographic hash of system files and commands match the vendor values.
+
+Check the cryptographic hash of system files and commands with the following command:
+
+Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.
+
+# rpm -Va --noconfig | grep '^..5'
+
+If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest Trellix ENSLTP package.Check that the following package has been installed:
+
+ # rpm -qa | grep -i mcafeetp
+
+If the "mcafeetp" package is not installed, this is a finding.
+
+Verify that the daemon is running:
+
+ # ps -ef | grep -i mfetpd
+
+If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.
+
+The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
+
+If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72213SV-86837CCI-001668CCI-000366Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.
+
+If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010062The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+ # touch /etc/dconf/db/local.d/locks/session
+
+Add the setting to lock the screensaver lock-enabled setting:
+
+ /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+ # grep system-db /etc/dconf/profile/user
+ system-db:local
+
+Check for the lock-enabled setting with the following command:
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+ # grep -i lock-enabled /etc/dconf/db/local.d/locks/*
+ /org/gnome/desktop/screensaver/lock-enabled
+
+If the command does not return a result, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-000366CCI-000778CCI-001958Configure the graphical user interface to disable the ability to automount devices.
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:
+
+[org/gnome/desktop/media-handling]
+
+automount=false
+
+automount-open=false
+
+autorun-never=true
+
+Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:
+/org/gnome/desktop/media-handling/automount
+
+/org/gnome/desktop/media-handling/automount-open
+
+/org/gnome/desktop/media-handling/autorun-never
+
+Run the following command to update the database:
+
+# dconf updateNote: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Verify the operating system disables the ability to automount devices in a graphical user interface.
+
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+
+Check to see if automounter service is disabled with the following commands:
+# cat /etc/dconf/db/local.d/00-No-Automount
+
+[org/gnome/desktop/media-handling]
+
+automount=false
+
+automount-open=false
+
+autorun-never=true
+
+If the output does not match the example above, this is a finding.
+
+# cat /etc/dconf/db/local.d/locks/00-No-Automount
+
+/org/gnome/desktop/media-handling/automount
+
+/org/gnome/desktop/media-handling/automount-open
+
+/org/gnome/desktop/media-handling/autorun-never
+
+If the output does not match the example, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021031The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
+
+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:
+
+# find [PART] -xdev -type d -perm -0002 -uid +999 -print
+
+If there is output, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-07-910055The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
+
+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command:
+
+# chmod 0600 [audit_file]
+
+Change the owner and group owner of the audit log files with the following command:
+
+# chown root:root [audit_file]Verify the operating system audit records have proper permissions and ownership.
+
+List the full permissions and ownership of the audit log files with the following command.
+
+# ls -la /var/log/audit
+total 4512
+drwx------. 2 root root 23 Apr 25 16:53 .
+drwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..
+-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log
+
+Audit logs must be mode 0600 or less permissive.
+If any are more permissive, this is a finding.
+
+The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040711The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+X11UseLocalhost yesVerify the SSH daemon prevents remote hosts from connecting to the proxy display.
+
+Check the SSH X11UseLocalhost setting with the following command:
+
+# sudo grep -i x11uselocalhost /etc/ssh/sshd_config
+X11UseLocalhost yes
+
+If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010341The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Remove the following entries from the sudoers file:
+ALL ALL=(ALL) ALL
+ALL ALL=(ALL:ALL) ALLVerify the "sudoers" file restricts sudo access to authorized personnel.
+$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
+
+If the either of the following entries are returned, this is a finding:
+ALL ALL=(ALL) ALL
+ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
+For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
+ Defaults !targetpw
+ Defaults !rootpw
+ Defaults !runaspw
+
+Remove any configurations that conflict with the above from the following locations:
+ /etc/sudoers
+ /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
+
+ $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'
+
+ /etc/sudoers:Defaults !targetpw
+ /etc/sudoers:Defaults !rootpw
+ /etc/sudoers:Defaults !runaspw
+
+If conflicting results are returned, this is a finding.
+If "Defaults !targetpw" is not defined, this is a finding.
+If "Defaults !rootpw" is not defined, this is a finding.
+If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command.
+
+If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the "sudo" command to require re-authentication.
+Edit the /etc/sudoers file:
+$ sudo visudo
+
+Add or modify the following line:
+Defaults timestamp_timeout=[value]
+Note: The "[value]" must be a number that is greater than or equal to "0".
+
+Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
+
+$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d
+/etc/sudoers:Defaults timestamp_timeout=0
+
+If conflicting results are returned, this is a finding.
+
+If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
+The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account.
+
+Edit the /etc/grub.d/01_users file and add or modify the following lines:
+
+set superusers="[someuniquestringhere]"
+export superusers
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
+
+Generate a new grub.cfg file with the following command:
+
+$ sudo grub2-mkconfig -o /boot/grub2/grub.cfgFor systems that use UEFI, this is Not Applicable.
+
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
+
+Verify that a unique name is set as the "superusers" account:
+
+# grep -iw "superusers" /boot/grub2/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010492Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
+The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account.
+
+Edit the /etc/grub.d/01_users file and add or modify the following lines:
+
+set superusers="[someuniquestringhere]"
+export superusers
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
+
+Generate a new grub.cfg file with the following command:
+
+$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
+
+Verify that a unique name is set as the "superusers" account:
+
+$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020021The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to confine SELinux users to roles that conform to least privilege.
+
+Use the following command to map the "staff_u" SELinux user to the "staff_r" and "sysadm_r" roles:
+
+ $ sudo semanage user -m staff_u -R staff_r -R sysadm_r
+
+Use the following command to map the "user_u" SELinux user to the "user_r" role:
+
+ $ sudo semanage -m user_u -R user_rVerify the operating system confines SELinux users to roles that conform to least privilege.
+
+Check the SELinux User list to SELinux Roles mapping by using the following command:
+
+ $ sudo semanage user -l
+
+ Labeling MLS/ MLS/
+ SELinux User Prefix MCS Level MCS Range SELinux Roles
+
+ guest_u user s0 s0 guest_r
+ root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
+ staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
+ sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
+ system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
+ unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
+ user_u user s0 s0 user_r
+ xguest_u user s0 s0 xguest_r
+
+If the output differs from the above example, ask the system administrator (SA) to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the information system security officer (ISSO) and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020022The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to prevent privileged accounts from utilizing SSH.
+Use the following command to set the "ssh_sysadm_login" boolean to "off":
+
+ $ sudo setsebool -P ssh_sysadm_login off
+
+Note: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to "on" with the following command:
+
+ $ sudo setsebool -P ssh_sysadm_login on
+
+This must be documented with the ISSO as an operational requirement.Verify the operating system prevents privileged accounts from utilizing SSH.
+Check the SELinux ssh_sysadm_login boolean with the following command:
+
+ $ sudo getsebool ssh_sysadm_login
+ ssh_sysadm_login --> off
+
+If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.
+Edit a file in the "/etc/sudoers.d" directory with the following command:
+
+ $ sudo visudo -f /etc/sudoers.d/<customfile>
+
+Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:
+
+ %{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
+
+Remove any configurations that conflict with the above from the following locations:
+
+ /etc/sudoers
+ /etc/sudoers.d/Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:
+
+This command must be ran as root:
+
+ # grep -r sysadm_r /etc/sudoers /etc/sudoers.d
+ %{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
+
+If conflicting results are returned, this is a finding.
+
+If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010291The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands:
+
+Perform a password reset:
+$ sudo passwd [username]
+Lock an account:
+$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command:
+
+$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+
+If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
+
+It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.
+
+Edit the /etc/sudoers file with the following command:
+
+$ sudo visudo
+
+Add or modify the following line:
+#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.
+
+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
+
+$ sudo grep include /etc/sudoers
+
+#includedir /etc/sudoers.d
+
+If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.
+
+Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:
+
+$ sudo grep -r include /etc/sudoers.d
+
+If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the operating system to require users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/ pam.d/sudo" file with the following command:
+$ sudo vi /etc/pam.d/sudo
+
+Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation.
+
+Check the configuration of the "/etc/pam.d/sudo" file with the following command:
+
+$ sudo grep pam_succeed_if /etc/pam.d/sudo
+
+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install AIDE, initialize it, and perform a manual check.
+
+Install AIDE:
+ $ sudo yum install aide
+
+Initialize it:
+ $ sudo /usr/sbin/aide --init
+
+ AIDE, version 0.15.1
+ ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
+
+The new database will need to be renamed to be read by AIDE:
+ $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+Perform a manual check:
+ $ sudo /usr/sbin/aide --check
+
+ AIDE, version 0.15.1
+ ### All files match AIDE database. Looks okay!
+
+Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.
+
+Check that the AIDE package is installed with the following command:
+ $ sudo rpm -q aide
+
+ aide-0.15.1-13.el7.x86_64
+
+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
+
+If there is no application installed to perform integrity checks, this is a finding.
+
+If AIDE is installed, check if it has been initialized with the following command:
+ $ sudo /usr/sbin/aide --check
+
+If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-07-010271The Red Hat Enterprise Linux operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors.
+
+Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.
+
+The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command:
+
+ $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours.
+
+For every existing temporary account, run the following command to obtain its account expiration information:
+
+ $ sudo chage -l <temporary_account_name> | grep -i "account expires"
+
+Verify each of these accounts has an expiration date set within 72 hours.
+If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040712The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config":
+
+ KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+Restart the "sshd" service for changes to take effect:
+
+ $ sudo systemctl restart sshdVerify that the SSH server is configured to use only FIPS-validated key exchange algorithms:
+
+ $ sudo grep -i kexalgorithms /etc/ssh/sshd_config
+ KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010090The Red Hat Enterprise Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.
+
+Install the screen program (if it is not on the system) with the following command:
+
+ # yum install screen
+
+OR
+
+Install the tmux program (if it is not on the system) with the following command:
+
+ # yum install tmuxVerify the operating system has the screen package installed.
+
+Check to see if the screen package is installed with the following command:
+
+ # yum list installed screen
+ screen-4.3.1-3-x86_64.rpm
+
+If the screen package is not installed, check to see if the tmux package is installed with the following command:
+
+ # yum list installed tmux
+ tmux-1.8-4.el7.x86_64.rpm
+
+If either the screen package or the tmux package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-07-010375The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001090Configure the operating system to restrict access to the kernel message buffer.
+
+Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:
+
+ kernel.dmesg_restrict = 1
+
+Remove any configurations that conflict with the above from the following locations:
+ /run/sysctl.d/
+ /etc/sysctl.d/
+ /usr/local/lib/sysctl.d/
+ /usr/lib/sysctl.d/
+ /lib/sysctl.d/
+ /etc/sysctl.conf
+
+Reload settings from all system configuration files with the following command:
+
+ $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands:
+
+ $ sudo sysctl kernel.dmesg_restrict
+ kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
+
+Check that the configuration files are present to enable this kernel parameter:
+
+ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ /etc/sysctl.conf:kernel.dmesg_restrict = 1
+ /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010199The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.<VulnDiscussion>When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000196Create custom configuration files and their corresponding symbolic links:
+
+Rename the existing configuration files (skip this step if symbolic links are already present):
+ $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
+ $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
+
+Create custom system-auth configuration file:
+ $ sudo vi /etc/pam.d/system-auth-local
+
+The new file, at minimum, must contain the following lines:
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth include system-auth-ac
+auth sufficient pam_unix.so try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account required pam_faillock.so
+account include system-auth-ac
+
+password requisite pam_pwhistory.so remember=5 retry=3
+password requisite pam_pwquality.so retry=3
+password include system-auth-ac
+password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session include system-auth-ac
+
+Create custom password-auth configuration file:
+ $ sudo vi /etc/pam.d/password-auth-local
+
+The new file, at minimum, must contain the following lines:
+
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth include password-auth-ac
+auth sufficient pam_unix.so try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account required pam_faillock.so
+account include password-auth-ac
+
+password requisite pam_pwhistory.so use_authtok remember=5 retry=3
+password requisite pam_pwquality.so retry=3
+password include password-auth-ac
+password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session include password-auth-ac
+
+Create new or move existing symbolic links to the new custom configuration files:
+ $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
+ $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
+
+Once finished, the following file structure should be present:
+ $ sudo ls -1 /etc/pam.d/{password,system}-auth*
+
+ /etc/pam.d/password-auth
+ /etc/pam.d/password-auth-ac
+ /etc/pam.d/password-auth-local
+ /etc/pam.d/system-auth
+ /etc/pam.d/system-auth-ac
+ /etc/pam.d/system-auth-local
+
+Note: With this solution in place, any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local":
+ $ sudo ls -l /etc/pam.d/{password,system}-auth
+
+ lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local
+ lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local
+
+If system-auth and password-auth files are not symbolic links, this is a finding.
+
+If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-010019The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001749Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.
+
+Insert RHEL 7 installation disc or attach RHEL 7 installation image to the system. Mount the disc or image to make the contents accessible inside the system.
+
+Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system:
+
+ $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/
+
+Import Red Hat GPG keys from key file into system keyring:
+
+ $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.
+
+Note: For Red Hat Enterprise Linux 7 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default.
+
+List Red Hat GPG keys installed on the system:
+
+ $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat"
+
+ gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
+ gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
+
+If Red Hat GPG keys "release key 2" and "auxiliary key" are not installed, this is a finding.
+
+List key fingerprints of installed Red Hat GPG keys:
+
+ $ sudo gpg -q --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding.
+
+Example output:
+
+ pub 4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <security@redhat.com>
+ Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
+ pub 1024D/2FA658E0 2006-12-01 Red Hat, Inc. (auxiliary key) <security@redhat.com>
+ Key fingerprint = 43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0
+
+Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key.
+
+If key fingerprints do not match, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010063The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.<VulnDiscussion>Leaving the user list enabled is a security risk as it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the operating system to disable the login screen user list for graphical user interfaces.
+
+Create or edit the gdm profile in "/etc/dconf/profile/" to contain the following lines:
+
+ $ sudo vi /etc/dconf/profile/gdm
+
+ user-db:user
+ system-db:gdm
+ file-db:/usr/share/gdm/greeter-dconf-defaults
+
+Create or edit the gdm database for machine-wide settings in "/etc/dconf/db/gdm.d/" with the following lines:
+
+ $ sudo vi /etc/dconf/db/gdm.d/00-login-screen
+
+ [org/gnome/login-screen]
+ disable-user-list=true
+
+Update the system databases by updating the dconf utility:
+
+ $ sudo dconf update
+
+If the login screen user list persists after updating the system databases, you can restart the GNOME Desktop without rebooting the system:
+
+ $ sudo systemctl restart gdmVerify that the operating system is configured to disable the login screen user list for graphical user interfaces.
+
+Note: If the system does not have the GNOME Desktop installed, this requirement is Not Applicable.
+
+Verify that the login screen user list for the GNOME Desktop is disabled with the following command:
+
+ $ sudo grep -is disable-user-list /etc/dconf/db/gdm.d/*
+
+ /etc/dconf/db/gdm.d/00-login-screen:disable-user-list=true
+
+If the variable "disable-user-list" is not defined in a file under "/etc/dconf/db/gdm.d/", is not set to "true", is missing or commented out, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020028The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001744Install the "mailx" package on the system:
+
+ $ sudo yum install mailxVerify that the operating system is configured to allow sending email notifications.
+
+Note: The "mailx" package provides the "mail" command that is used to send email messages.
+
+Verify that the "mailx" package is installed on the system:
+
+ $ sudo yum list installed mailx
+
+ mailx.x86_64 12.5-19.el7 @rhel-7-server-rpms
+
+If "mailx" package is not installed, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml b/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml
new file mode 100644
index 000000000..21787df0f
--- /dev/null
+++ b/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml
@@ -0,0 +1,4464 @@
+acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.
+
+If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.Verify the SUSE operating system is a vendor-supported release.
+
+Use the following command to verify the SUSE operating system is a vendor-supported release:
+
+> cat /etc/os-release
+
+NAME="SLES"
+VERSION="15"
+
+Or any SUSE Linux Enterprise 15 Service Pack follow up release.
+
+NAME="SLES"
+VERSION="15-SPx"
+
+Current End of Life for SLES 15 General Support is 31 Jul 2028 and Long-term Support is until 31 Jul 2031.
+
+If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010010Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SUSE operating system and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced System Administrators (SAs) to keep abreast of all the new patches. When new weaknesses in a SUSE operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001227Install the applicable SUSE operating system patches available from SUSE by running the following command:
+
+> sudo zypper patchVerify the SUSE operating system security patches and updates are installed and up to date.
+
+Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
+
+Check for required SUSE operating system patches and updates with the following command:
+
+> sudo zypper patch-check
+
+0 patches needed (0 security patches)
+
+If the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command:
+
+> cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd "
+
+2016-12-14 11:59:36 | install | libapparmor1-32bit | 2.8.0-2.4.1
+2016-12-14 11:59:36 | install | pam_apparmor | 2.8.0-2.4.1
+2016-12-14 11:59:36 | install | pam_apparmor-32bit | 2.8.0-2.4.1
+
+If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-15-010020The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via local console.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with system use notifications required by law.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SUSE operating system:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000048Configure the SUSE operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via local console by performing the following tasks:
+
+Edit the "motd" file and replace the default text inside with the Standard Mandatory DOD banner text:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify the SUSE operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via local console.
+
+Check the "motd" (message of the day) file to verify that it contains the DOD required banner text:
+
+> more /etc/issue
+
+The output must display the following DOD-required banner text:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the output does not display the correct banner text, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-15-010030The SUSE operating system must not have the vsftpd package installed if not required for operational support.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).
+
+Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.
+
+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000197CCI-000381Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
+
+> sudo zypper remove vsftpdVerify the vsftpd package is not installed on the SUSE operating system.
+
+Check that the vsftpd package is not installed on the SUSE operating system by running the following command:
+
+> zypper info vsftpd | grep Installed
+
+If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-15-010040The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SUSE operating systems that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the SUSE operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system by running the following commands:
+
+Edit the "sshd_config" file and edit the Banner flag to be the following:
+
+Banner /etc/issue/
+
+Restart the sshd daemon:
+
+> sudo systemctl restart sshd.service
+
+To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DOD banner text:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify the SUSE operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH.
+
+Check the issue file to verify it contains one of the DOD required banners. If it does not, this is a finding.
+
+> more /etc/issue
+
+The output must display the following DOD-required banner text:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the output does not display the banner text, this is a finding.
+
+Check the banner setting for sshd_config:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner'
+
+Banner /etc/issue
+
+If "Banner" is not set to "/etc/issue", this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-15-010050The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).<VulnDiscussion>The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).
+
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000048CCI-000050Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.
+
+Note: If a graphical user interface is not installed, this requirement is Not Applicable.
+
+Edit the file "/etc/gdm/Xsession".
+
+Add the following content to the file "/etc/gdm/Xsession" below the line #!/bin/sh:
+
+if ! zenity --text-info \
+--title "Consent" \
+--filename=/etc/gdm/banner \
+--no-markup \
+--checkbox="Accept." 10 10; then
+sleep 1;
+exit 1;
+fi
+
+Save the file "/etc/gdm/Xsession".Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI.
+
+Note: If a graphical user interface is not installed, this requirement is Not Applicable.
+
+Check the configuration by running the following command:
+
+> more /etc/gdm/Xsession
+
+The beginning of the file must contain the following text immediately after (#!/bin/sh):
+
+if ! zenity --text-info \
+--title "Consent" \
+--filename=/etc/gdm/banner \
+--no-markup \
+--checkbox="Accept." 10 10; then
+sleep 1;
+exit 1;
+fi
+
+If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.SRG-OS-000024-GPOS-00007<GroupDescription></GroupDescription>SLES-15-010060The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
+
+To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000050Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Configure the SUSE operating system file "/etc/gdm/banner" to contain the Standard Mandatory DoD Notice and Consent Banner by running the following commands:
+
+> sudo vi /etc/gdm/banner
+
+Add the following information to the file:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Verify the SUSE operating system file "/etc/gdm/banner" contains the Standard Mandatory DoD Notice and Consent Banner text by running the following command:
+
+> more /etc/gdm/banner
+
+If the file does not contain the following text, this is a finding.
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-15-010080The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SUSE operating system:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Configure the SUSE operating system to display a banner before local or remote access to the system via a graphical user logon.
+
+Create a database that will contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
+
+> sudo mkdir -p /etc/dconf/db/gdm.d
+> sudo touch /etc/dconf/db/gdm.d/01-banner-message
+
+Add the following content into /etc/dconf/profile/gdm:
+
+user-db:user
+system-db:gdm
+file-db:/usr/share/gdm/greeter-dconf-defaults
+
+Add the following line to the "[org/gnome/login-screen]" section of the "/etc/dconf/db/gdm.d/01-banner-message" file:
+
+[org/gnome/login-screen]
+banner-message-enable=true
+
+Update the system databases:
+
+> sudo dconf update
+
+Users must log out and back in again before the system-wide settings take effect.Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Verify the SUSE operating system displays a banner before local or remote access to the system via a graphical user logon.
+
+Check that the SUSE operating system displays a banner at the logon screen by performing the following command:
+
+> grep banner-message-enable /etc/dconf/db/gdm.d/*
+banner-message-enable=true
+
+> cat /etc/dconf/profile/gdm
+user-db:user
+system-db:gdm
+file-db:/usr/share/gdm/greeter-dconf-defaults
+
+If "banner-message-enable" is set to "false" or is missing completely, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-15-010090The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SUSE operating system:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Configure the SUSE operating system to display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
+
+Create a database to contain the system wide graphical user logon settings (if it does not already exist) by performing the following command:
+
+> sudo touch /etc/dconf/db/gdm.d/01-banner-message
+
+Add the following lines to the "[org/gnome/login-screen]" section of the "dconf/db/gdm.d/01-banner-message" file:
+
+[org/gnome/login-screen]
+banner-message-text="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Note: The "\n" characters are for formatting only. They will not be displayed on the GUI.
+
+Run the following command to update the database:
+> sudo dconf updateNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Verify the SUSE operating system displays the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
+
+Check that the SUSE operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text by performing the following command:
+
+> grep banner-message-text /etc/dconf/db/gdm.d/*
+banner-message-text=
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Note: The "\n" characters are for formatting only. They will not be displayed on the GUI.
+
+If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010100The SUSE operating system must be able to lock the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session; otherwise, the command will not work correctly.
+
+Configure the SUSE operating system to allow the user to lock the GUI.
+
+Run the following command to configure the SUSE operating system to allow the user to lock the GUI:
+
+> sudo gsettings set org.gnome.desktop.lockdown disable-lock-screen falseVerify the SUSE operating system allows the user to lock the GUI.
+
+Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+Run the following command:
+
+> sudo gsettings get org.gnome.desktop.lockdown disable-lock-screen
+
+If the result is "true", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010110The SUSE operating system must utilize vlock to allow for session locking.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
+
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060Allow users to lock the console by installing the "kbd" package using zypper:
+
+> sudo zypper install kbdCheck that the SUSE operating system has the "vlock" package installed by running the following command:
+
+> zypper search --installed-only --match-exact --provides vlock
+
+If the command outputs "no matching items found", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-15-010120The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
+
+Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000057Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity of the GUI by running the following command:
+
+Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session, otherwise the command will not work correctly.
+
+> sudo gsettings set org.gnome.desktop.session idle-delay 900Verify the SUSE operating system initiates a session lock after a 15-minute period of inactivity via the GUI by running the following command:
+
+Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
+
+> sudo gsettings get org.gnome.desktop.session idle-delay
+
+uint32 900
+
+If the command does not return a value less than or equal to "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-15-010130The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
+
+Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000057Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it:
+
+TMOUT=900
+readonly TMOUT
+export TMOUT
+
+Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command:
+
+> sudo chmod +x /etc/profile.d/autologout.shVerify the SUSE operating system must initiate a session logout after a 15-minute period of inactivity for all connection types.
+
+Check the proper script exists to kill an idle session after a 15-minute period of inactivity with the following command:
+
+> cat /etc/profile.d/autologout.sh
+TMOUT=900
+readonly TMOUT
+export TMOUT
+
+If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>SLES-15-010140The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. The SUSE operating system session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
+
+Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images conveys sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000060Note: If the system does not have X Windows installed, this requirement is Not Applicable.
+
+Configure the SUSE operating system to use a publically viewable image by finding the Settings menu and then navigate to the Background selection section:
+
+- Click "Activities" on the top left.
+- Click "Show Applications" at the bottom of the Activities menu.
+- Click the "Settings" icon.
+- Click "Background" from left hand menu.
+- Select image and set the Lock Screen image to the user's choice.
+- Exit Settings Dialog.Verify the SUSE operating system conceals via the session lock information previously visible on the display with a publicly viewable image in the GUI.
+
+Note: If the system does not have X Windows installed, this requirement is Not Applicable.
+
+Check that the lock screen is set to a publicly viewable image by running the following command:
+
+> sudo gsettings get org.gnome.desktop.screensaver picture-uri
+'file:///usr/share/wallpapers/SLE-default-static.xml'
+
+If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>SLES-15-010150The SUSE operating system must log SSH connection attempts and failures to the server.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000067Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system.
+
+Add or update the following line in the "/etc/ssh/sshd_config" file:
+
+LogLevel VERBOSE
+
+The SSH service will need to be restarted in order for the changes to take effect.Verify SSH is configured to verbosely log connection attempts and failed logon attempts to the SUSE operating system.
+
+Check that the SSH daemon configuration verbosely logs connection attempts and failed logon attempts to the server with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel'
+
+The output message must contain the following text:
+
+LogLevel VERBOSE
+
+If the output message does not contain "VERBOSE", the LogLevel keyword is missing, or the line is commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>SLES-15-010160The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
+
+The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.
+
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000068Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line:
+
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+Restart the SSH daemon:
+
+> sudo systemctl restart sshd.serviceVerify the SUSE operating system implements DOD-approved encryption to protect the confidentiality of SSH remote connections.
+
+Check the SSH daemon configuration for allowed ciphers with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers'
+
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>SLES-15-010170The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
+
+A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
+
+When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.
+
+This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
+
+Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000185CCI-004068Configure the SUSE operating system for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
+
+Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca":
+
+cert_policy = ca,signature,oscp_on;
+
+Note: Additional certificate validation polices are permitted.
+
+Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
+
+Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:
+
+> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
+
+cert_policy = ca,oscp_on,signature,crl_auto;
+
+If "cert_policy" is not set to include "ca", this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-15-010180The SUSE operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).
+
+Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.
+
+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000197CCI-000381Remove the telnet-server package from the SUSE operating system by running the following command:
+
+> sudo zypper remove telnet-serverVerify the telnet-server package is not installed on the SUSE operating system.
+
+Check that the telnet-server package is not installed on the SUSE operating system by running the following command:
+
+> zypper info telnet-server | grep Installed
+
+If the telnet-server package is installed, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010190SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
+
+Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000213Note: If the system does not use a BIOS this requirement is Not Applicable.
+
+Configure the SUSE operating system to encrypt the boot password.
+
+Generate an encrypted (GRUB2) password for root with the following command:
+
+> grub2-mkpasswd-pbkdf2
+Enter Password:
+Reenter Password:
+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
+
+Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry:
+
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString
+
+Generate an updated "grub.conf" file with the new password using the following commands:
+
+> sudo grub2-mkconfig --output=/tmp/grub2.cfg
+> sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfgVerify that the SUSE operating system has set an encrypted root password.
+
+Note: If the system does not use a BIOS this requirement is Not Applicable.
+
+Check that the encrypted password is set for root with the following command:
+
+> sudo cat /boot/grub2/grub.cfg | grep -i password
+
+password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString
+
+If the root password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010200SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000213Note: If the system does not use UEFI, this requirement is Not Applicable.
+
+Configure the SUSE operating system to encrypt the boot password.
+
+Generate an encrypted (GRUB2) password for root with the following command:
+
+> grub2-mkpasswd-pbkdf2
+Enter Password:
+Reenter Password:
+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
+
+Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry:
+
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString
+
+Generate an updated "grub.conf" file with the new password using the following commands:
+
+> sudo grub2-mkconfig --output=/tmp/grub2.cfg
+> sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfgVerify that the SUSE operating system has set an encrypted root password.
+
+Note: If the system does not use UEFI, this requirement is Not Applicable.
+
+Check that the encrypted password is set for root with the following command:
+
+> sudo cat /boot/efi/EFI/sles/grub.cfg | grep -i password
+
+password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString
+
+If the root password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>SLES-15-010220The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+
+SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
+
+To support the requirements and principles of least functionality, the SUSE operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or address authorized quality-of-life issues.
+
+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000382CCI-002314Configure the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
+
+Add/modify /etc/firewalld configuration files to comply with the PPSM CAL.
+
+Enable the "firewalld.service" by running the following command:
+
+> sudo systemctl enable firewalld.service
+
+Start the "firewalld.service" by running the following command:
+
+> sudo systemctl start firewalld.serviceVerify the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
+
+Check that the "firewalld.service" is enabled and running by running the following command:
+
+> systemctl status firewalld.service
+ firewalld.service - firewalld - dynamic firewall daemon
+ Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
+ Active: active (running) since Wed 2019-11-06 10:58:11 CET; 24h ago
+ Docs: man:firewalld(1)
+ Main PID: 1105 (firewalld)
+ Tasks: 2 (limit: 4915)
+ CGroup: /system.slice/firewalld.service
+ ??1105 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid
+
+If the service is not enabled, this is a finding.
+
+If the service is not active, this is a finding.
+
+Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command:
+
+> sudo firewall-cmd --list-all
+
+Ask the System Administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
+
+If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
+
+If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>SLES-15-010230The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+
+1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+
+2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+
+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000764CCI-000804Configure the SUSE operating system to contain no duplicate UIDs for interactive users.
+
+Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.Verify the SUSE operating system contains no duplicate UIDs for interactive users.
+
+Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command:
+
+> awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
+
+If output is produced, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-15-010240The SUSE operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices.
+
+Turn off the automount service with the following command:
+
+> systemctl stop autofs
+> systemctl disable autofs
+
+If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the SUSE operating system disables the ability to automount devices.
+
+Check to see if automounter service is active with the following command:
+
+> systemctl status autofs
+autofs.service - Automounts filesystems on demand
+Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
+Active: inactive (dead)
+
+If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>SLES-15-010260The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised.
+
+SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000803Configure the SUSE operating system to require "ENCRYPT_METHOD" of "SHA512".
+
+Edit the "/etc/login.defs" file with the following line:
+
+ENCRYPT_METHOD SHA512Verify the SUSE operating system requires that the "ENCRYPT_METHOD" value in "/etc/login.defs" is set to "SHA512".
+
+Check the value of "ENCRYPT_METHOD" value in "/etc/login.defs" with the following command:
+
+> grep "^ENCRYPT_METHOD " /etc/login.defs
+
+ENCRYPT_METHOD SHA512
+
+If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>SLES-15-010270The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.
+
+Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000877CCI-001453CCI-003123Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (The file might be named differently or be in a different location):
+
+MACs hmac-sha2-512,hmac-sha2-256Verify the SUSE operating system SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes.
+
+Check that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*macs'
+
+MACs hmac-sha2-512,hmac-sha2-256
+
+If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000126-GPOS-00066<GroupDescription></GroupDescription>SLES-15-010280The SUSE operating system SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system-level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+
+Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001133CCI-002361Configure the SUSE operating system SSH daemon to timeout idle sessions.
+
+Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file:
+
+ClientAliveInterval 600
+
+The SSH daemon must be restarted for any changes to take effect.Verify the SUSE operating system SSH daemon is configured to timeout idle sessions.
+
+Check that the "ClientAliveInterval" parameter is set to a value of "600" with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval'
+
+ClientAliveInterval 600
+
+If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010300The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+
+This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
+
+There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001090Configure the SUSE operating system shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories.
+
+An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command:
+
+> sudo chmod 1777 /tmp
+
+For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.Verify the SUSE operating system prevents unauthorized and unintended information transfer via the shared system resources.
+
+Check that world-writable directories have the sticky bit set with the following command:
+
+> sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -perm -002 -type d -exec ls -lLd {} \;
+
+256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp
+
+If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>SLES-15-010310The SUSE operating system must be configured to use TCP syncookies.<VulnDiscussion>Denial of Service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
+
+Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001095Configure the SUSE operating system to use IPv4 TCP syncookies by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.tcp_syncookies=1
+
+If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system is configured to use IPv4 TCP syncookies.
+
+Check to see if syncookies are used with the following command:
+
+> sudo sysctl net.ipv4.tcp_syncookies
+net.ipv4.tcp_syncookies = 1
+
+If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>SLES-15-010320The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.
+
+Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.
+
+Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
+
+This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001133CCI-002361Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity.
+
+Modify or append the following lines in the "/etc/ssh/sshd_config" file:
+
+ClientAliveCountMax 0
+
+In order for the changes to take effect, the SSH daemon must be restarted.
+
+> sudo systemctl restart sshd.serviceVerify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.
+
+Check that the "ClientAliveCountMax" variable is set to a value of "0" or less by performing the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax'
+
+ClientAliveCountMax 0
+
+If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "0" or less in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>SLES-15-010330All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.<VulnDiscussion>SUSE operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
+
+Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
+
+Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001199CCI-002475Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption.
+
+Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog.
+
+Refer to the document "SUSE Linux Enterprise Server 15 SP1 - Security Guide", Section 12.1.2, for a detailed disk encryption guide:
+
+https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-cryptofs.html#sec-security-cryptofs-y2-part-runVerify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption.
+
+Determine the partition layout for the system with the following command:
+
+> sudo fdisk -l
+
+Device Boot Start End Sectors Size Id Type
+/dev/sda1 2048 4208639 4206592 2G 82 Linux swap
+/dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux
+/dev/sda3 53479424 125829119 72349696 34.5G 83 Linux
+
+Verify the system partitions are all encrypted with the following command:
+
+> sudo more /etc/crypttab
+
+cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
+cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
+cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac
+
+
+Every persistent disk partition present on the system must have an entry in the file.
+
+If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.SRG-OS-000205-GPOS-00083<GroupDescription></GroupDescription>SLES-15-010340The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.<VulnDiscussion>Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.
+
+Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.
+
+The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001312Configure the SUSE operating system to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command:
+
+Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.
+
+> sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;Verify the SUSE operating system has all system log files under the /var/log directory with a permission set to "640", by using the following command:
+
+Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.
+
+> sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \;
+
+If command displays any output, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>SLES-15-010350The SUSE operating system must prevent unauthorized users from accessing system error messages.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001314Configure the SUSE operating system to prevent unauthorized users from accessing system error messages.
+
+Add or update the following rules in "/etc/permissions.local":
+
+/var/log/messages root:root 640
+
+Set the correct permissions with the following command:
+
+> sudo chkstat --set --systemVerify the SUSE operating system prevents unauthorized users from accessing system error messages.
+
+Check the "/var/log/messages" file permissions with the following command:
+
+> sudo stat -c "%n %U:%G %a" /var/log/messages
+
+/var/log/messages root:root 640
+
+Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+> grep -i messages /etc/permissions.local
+
+/var/log/messages root:root 640
+
+If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010351The SUSE operating system library files must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the library files to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode "0755" or less permissive.
+
+Check that the system-wide shared library files have mode "0755" or less permissive with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \;
+
+If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010352The SUSE operating system library directories must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the shared library directories to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "0755" or less permissive.
+
+Check that the system-wide shared library directories have mode "0755" or less permissive with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \;
+
+If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010353The SUSE operating system library files must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root.
+
+Check that the system-wide shared library files are owned by root with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \;
+
+If any system wide library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010354The SUSE operating system library directories must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
+
+Check that the system-wide shared library directories are owned by root with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
+
+If any system wide library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010355The SUSE operating system library files must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;Verify the system-wide library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root.
+
+Check that the system-wide library files are group-owned by root with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \;
+
+If any system wide shared library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010356The SUSE operating system library directories must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system library directories to be protected from unauthorized access. Run the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;Verify the system-wide library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root.
+
+Check that the system-wide library directories are group-owned by root with the following command:
+
+> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;
+
+If any system wide shared library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010357The SUSE operating system must have system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;Verify the system commands contained in the following directories have mode "0755" or less permissive:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Check that the system command files have mode "0755" or less permissive with the following command:
+
+> find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \;
+
+If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010358The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;Verify the system commands directories have mode "0755" or less permissive:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Check that the system command directories have mode "0755" or less permissive with the following command:
+
+> find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;
+
+If any directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010359The SUSE operating system must have system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;Verify the system commands contained in the following directories are owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Use the following command for the check:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \;
+
+If any system commands are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010360The SUSE operating system must have directories that contain system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;Verify the system commands directories are owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Use the following command for the check:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \;
+
+If any system commands directories are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010361The SUSE operating system must have system commands group-owned by root or a system account.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account.
+
+> sudo chgrp root [FILE]Verify the system commands contained in the following directories are group-owned by root or a system account:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Run the check with the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c "%n %G" '{}' \;
+
+If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-15-010362The SUSE operating system must have directories that contain system commands group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;Verify the system commands directories are group-owned by root:
+
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+
+Run the check with the following command:
+
+> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \;
+
+If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.SRG-OS-000298-GPOS-00116<GroupDescription></GroupDescription>SLES-15-010370The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system.<VulnDiscussion>Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.
+
+SUSE operating systems are capable to immediately stop remote connections and services by a local system administrator.
+
+To immediately disconnect or disable remote access, the firewall needs to be set into panic mode.
+
+> sudo firewall-cmd --panic-on
+
+To enable remote connection again, panic mode needs to be disabled.
+
+> sudo firewall-cmd --panic-off</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002322Configure the SUSE operating system to enable the firewall service. This is needed to be able to immediately disconnect or disable remote access to the whole system.
+
+Enable the "firewalld.service" by running the following command:
+
+> sudo systemctl enable firewalld.service
+
+Start the "firewalld.service" by running the following command:
+
+> sudo systemctl start firewalld.service
+
+To immediately disconnect or disable remote access the firewall needs to be set into panic mode.
+
+> sudo firewall-cmd --panic-on
+
+To enable remote connection again, panic mode needs to be disabled.
+
+> sudo firewall-cmd --panic-offVerify "firewalld" is configured to protect the SUSE operating system.
+
+Run the following command:
+
+> systemctl status firewalld.service
+ firewalld.service - firewalld - dynamic firewall daemon
+ Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
+ Active: active (running) since Wed 2019-11-06 10:58:11 CET; 24h ago
+ Docs: man:firewalld(1)
+ Main PID: 1105 (firewalld)
+ Tasks: 2 (limit: 4915)
+ CGroup: /system.slice/firewalld.service
+ ??1105 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid
+
+If the service is not enabled, this is a finding.
+
+If the service is not active, this is a finding.SRG-OS-000299-GPOS-00117<GroupDescription></GroupDescription>SLES-15-010380The SUSE operating system wireless network adapters must be disabled unless approved and documented.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the SUSE operating system.
+
+This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with a SUSE operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the SUSE operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.
+
+Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000481-GPOS-000481</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001443CCI-001444CCI-002418Configure the SUSE operating system to disable all wireless network interfaces with the following command:
+
+For each interface of type wireless, bring the interface into "down" state:
+
+> sudo wicked ifdown wlan0
+
+For each interface of type wireless with a configuration type of "compat:suse:", remove the associated file:
+
+> sudo rm /etc/sysconfig/network/ifcfg-wlan0
+
+For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file.
+
+> sudo rm /etc/wicked/ifconfig/wlan0.xmlVerify that the SUSE operating system has no wireless network adapters enabled.
+
+Check that there are no wireless interfaces configured on the system with the following command:
+
+> sudo wicked show all
+
+lo up
+link: #1, state up
+type: loopback
+config: compat:suse:/etc/sysconfig/network/ifcfg-lo
+leases: ipv4 static granted
+leases: ipv6 static granted
+addr: ipv4 127.0.0.1/8 [static]
+addr: ipv6 ::1/128 [static]
+
+eth0 up
+link: #2, state up, mtu 1500
+type: ethernet, hwaddr 06:00:00:00:00:01
+config: compat:suse:/etc/sysconfig/network/ifcfg-eth0
+leases: ipv4 dhcp granted
+leases: ipv6 dhcp granted, ipv6 auto granted
+addr: ipv4 10.0.0.100/16 [dhcp]
+route: ipv4 default via 10.0.0.1 proto dhcp
+
+wlan0 up
+link: #3, state up, mtu 1500
+type: wireless, hwaddr 06:00:00:00:00:02
+config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml
+leases: ipv4 dhcp granted
+addr: ipv4 10.0.0.101/16 [dhcp]
+route: ipv4 default via 10.0.0.1 proto dhcp
+
+If a wireless interface is configured, it must be documented and approved by the local AO.
+
+If a wireless interface is configured and has not been documented and approved, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>SLES-15-010390SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.<VulnDiscussion>Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
+
+The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
+
+Verification of whitelisted software occurs prior to execution or at system startup.
+
+Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.
+
+AppArmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.
+
+Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125, SRG-OS-000326-GPOS-00126, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00230</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001764CCI-001774CCI-002165CCI-002233CCI-002235Configure the SUSE operating system to blacklist all applications by default and permit by whitelist.
+
+Install "pam_apparmor" (if it is not installed) with the following command:
+
+> sudo zypper in pam_apparmor
+
+Enable/activate "Apparmor" (if it is not already active) with the following command:
+
+> sudo systemctl enable apparmor.service
+
+Start "Apparmor" with the following command:
+
+> sudo systemctl start apparmor.service
+
+Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.Verify that the SUSE operating system AppArmor tool is configured to control whitelisted applications and user home directory access control.
+
+Check that "pam_apparmor" is installed on the system with the following command:
+
+> zypper info pam_apparmor | grep "Installed"
+
+If the package "pam_apparmor" is not installed on the system, this is a finding.
+
+Check that the "apparmor" daemon is running with the following command:
+
+> systemctl status apparmor.service | grep -i active
+
+Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago
+
+If something other than "Active: active" is returned, this is a finding.
+
+Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>SLES-15-010400The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+
+Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
+
+Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004923CCI-004926The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second.
+
+To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "[time_source]" with an authoritative DOD time source:
+
+server [time_source] maxpoll 16The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second.
+
+Check that the SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command:
+
+> sudo grep maxpoll /etc/chrony.conf
+
+server 0.us.pool.ntp.mil maxpoll 16
+
+If nothing is returned, "maxpoll" is greater than "16", or is commented out, this is a finding.
+
+Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command:
+
+> sudo grep -i server /etc/chrony.conf
+server 0.us.pool.ntp.mil
+
+If the parameter "server" is not set, is not set to an authoritative DOD time source, or is commented out, this is a finding.SRG-OS-000359-GPOS-00146<GroupDescription></GroupDescription>SLES-15-010410The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the SUSE operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001890Configure the SUSE operating system is configured to use UTC or GMT.
+
+To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT".
+
+> sudo timedatectl set-timezone [ZONE]Verify the SUSE operating system is configured to use UTC or GMT.
+
+Check that the SUSE operating system is configured to use UTC or GMT with the following command:
+
+> timedatectl status | grep -i "time zone"
+Time zone: UTC (UTC, +0000)
+
+If "Time zone" is not set to "UTC" or "GMT", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-15-010420Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SUSE operating system. The SUSE operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrator (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
+
+Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001744CCI-002696CCI-002699Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly.
+
+If the "aide" package is not installed, install it with the following command:
+
+ > sudo zypper in aide
+
+Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE weekly, but other file integrity tools may be used:
+
+ > cat /etc/cron.weekly/aide
+ 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly.
+
+Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.
+
+Check for the presence of a cron job running daily or weekly on the system that executes AIDE to scan for changes to the system baseline. The command used in the following example looks at the daily cron job:
+
+Check the "/etc/cron" subdirectories for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
+
+ > sudo grep -R aide /etc/crontab /etc/cron.*
+ /etc/crontab: 30 04 * * * /etc/aide
+
+If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>SLES-15-010430The SUSE operating system tool zypper must have gpgcheck enabled.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or SUSE operating system components must be signed with a certificate recognized and approved by the organization.
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003992Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf":
+
+gpgcheck = 1Verify that the SUSE operating system tool zypper has gpgcheck enabled.
+
+Check that zypper has gpgcheck enabled with the following command:
+
+> grep -i '^gpgcheck' /etc/zypp/zypp.conf
+
+gpgcheck = 1
+
+If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-010450The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+When the SUSE operating system provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges.
+
+Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command:
+
+> sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers
+
+If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010460The SUSE operating system must have the packages required for multifactor authentication to be installed.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication by installing the required packages.
+
+Install the packages required to support multifactor authentication with the following commands:
+
+> zypper install pam_pkcs11
+
+> zypper install mozilla-nss
+
+> zypper install mozilla-nss-tools
+
+> zypper install pcsc-ccid
+
+> zypper install pcsc-lite
+
+> zypper install pcsc-tools
+
+> zypper install opensc
+
+> zypper install coolkey
+
+Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system has the packages required for multifactor authentication installed.
+
+Check for the presence of the packages required to support multifactor authentication with the following commands:
+
+> zypper info pam_pkcs11 | grep -i installed
+
+> zypper info mozilla-nss | grep -i installed
+
+> zypper info mozilla-nss-tools | grep -i installed
+
+> zypper info pcsc-ccid | grep -i installed
+
+> zypper info pcsc-lite | grep -i installed
+
+> zypper info pcsc-tools | grep -i installed
+
+> zypper info opensc | grep -i installed
+
+> zypper info coolkey | grep -i installed
+
+If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010470The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised.
+
+Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to certificate status checking for PKI authentication.
+
+Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
+
+Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.
+
+Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system implements certificate status checking for multifactor authentication.
+
+Check that certificate status checking for multifactor authentication is implemented with the following command:
+
+> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
+
+cert_policy = ca,ocsp_on,signature,crl_auto;
+
+If "cert_policy" is not set to include "ocsp", this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>SLES-15-010480The SUSE operating system must disable the USB mass storage kernel module.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+Peripherals include but are not limited to such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001958Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host.
+
+Add or update the following line to the "/etc/modprobe.d/50-blacklist.conf" file:
+
+blacklist usb-storageVerify the SUSE operating system does not automount USB mass storage devices when connected to the host.
+
+Check that "usb-storage" is blacklisted in the "/etc/modprobe.d/50-blacklist.conf" file with the following command:
+
+> grep usb-storage /etc/modprobe.d/50-blacklist.conf
+blacklist usb-storage
+
+If nothing is output from the command, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-15-010490If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002007Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day.
+
+Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[nss]":
+
+memcache_timeout = 86400If NSS is not used on the operating system, this is Not Applicable.
+
+If NSS is used by the SUSE operating system, verify it prohibits the use of cached authentications after one day.
+
+Check that cached authentications cannot be used after one day with the following command:
+
+> sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf
+
+memcache_timeout = 86400
+
+If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-15-010500The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002007Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day.
+
+Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]":
+
+offline_credentials_expiration = 1If SSSD is not being used on the operating system, this is Not Applicable.
+
+Verify that the SUSE operating system PAM prohibits the use of cached off line authentications after one day.
+
+Check that cached off line authentications cannot be used after one day with the following command:
+
+> sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf
+
+offline_credentials_expiration = 1
+
+If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>SLES-15-010510FIPS 140-2 mode must be enabled on the SUSE operating system.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002450To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install.
+
+Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance:
+
+http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdfVerify the SUSE operating system is running in FIPS mode by running the following command.
+
+> cat /proc/sys/crypto/fips_enabled
+
+1
+
+If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>SLES-15-010530All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
+
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002418CCI-002420CCI-002421CCI-002422Note: If the system is not networked, this requirement is Not Applicable.
+
+Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
+
+Install the OpenSSH package on the SUSE operating system with the following command:
+
+> sudo zypper in openssh
+
+Enable the OpenSSH service to start automatically on reboot with the following command:
+
+> sudo systemctl enable sshd.service
+
+For the changes to take effect immediately, start the service with the following command:
+
+> sudo systemctl restart sshd.serviceNote: If the system is not networked, this requirement is Not Applicable.
+
+Verify that the SUSE operating system implements SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
+
+Check that the OpenSSH package is installed on the SUSE operating system with the following command:
+
+> zypper info openssh | grep -i installed
+
+If the OpenSSH package is not installed, this is a finding.
+
+Check that the OpenSSH service active on the SUSE operating system with the following command:
+
+> systemctl status sshd.service | grep -i "active:"
+
+Active: active (running) since Thu 2017-01-12 15:03:38 UTC; 1 months 4 days ago
+
+If OpenSSH service is not active, this is a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>SLES-15-010540The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.
+
+Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002824Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command:
+
+> sudo sysctl -w kernel.kptr_restrict=1
+
+If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system prevents leaking of internal kernel addresses.
+
+Check that the SUSE operating system prevents leaking of internal kernel addresses by running the following command:
+
+> sudo sysctl kernel.kptr_restrict
+kernel.kptr_restrict = 1
+
+If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>SLES-15-010550Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.
+
+Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002824Configure the SUSE operating system to implement ASLR by running the following command as an administrator:
+
+> sudo sysctl -w kernel.randomize_va_space=2
+
+If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system implements ASLR.
+
+Check that the SUSE operating system implements ASLR by running the following command:
+
+> sudo sysctl kernel.randomize_va_space
+Kernel.randomize_va_space = 2
+
+If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>SLES-15-010560The SUSE operating system must remove all outdated software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002617Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in "/etc/zypp/zypp.conf" to match the one provided below:
+
+solver.upgradeRemoveDroppedPackages = trueVerify the SUSE operating system removes all outdated software components after updated version have been installed by running the following command:
+
+> grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf
+
+solver.upgradeRemoveDroppedPackages = true
+
+If "solver.upgradeRemoveDroppedPackages" is commented out, is set to "false", or is missing completely, this is a finding.SRG-OS-000447-GPOS-00201<GroupDescription></GroupDescription>SLES-15-010570The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.<VulnDiscussion>If anomalies are not acted on, security functions may fail to secure the system.
+
+Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights.
+
+This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002702Configure the SUSE operating system to notify the SA when AIDE discovers anomalies in the operation of any security functions.
+
+Create the aide crontab file in "/etc/cron.daily" and add following command replacing the "[E-MAIL]" parameter with a proper email address for the SA:
+
+ 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.Verify the SUSE operating system notifies the SA when AIDE discovers anomalies in the operation of any security functions.
+
+Check to see if the aide cron job sends an email when executed with the following command:
+
+ > grep -i "aide" /etc/cron.*/aide
+ 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
+
+If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-010580The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time.
+
+For stand-alone systems establish a procedure to off-load log messages at least once a week.
+
+For networked systems add a "@[Log_Server_IP_Address]" option to every active message label in "/etc/rsyslog.conf" that does not have one. Some examples are listed below:
+
+*.*;mail.none;news.none -/var/log/messages
+*.*;mail.none;news.none @192.168.1.101:514
+
+An additional option is to capture all of the log messages and send them to a remote log host:
+
+*.* @@loghost:514Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
+
+For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly.
+
+For networked systems, check that rsyslog is sending log messages to a remote server with the following command:
+
+> sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#"
+
+*.*;mail.none;news.none @192.168.1.101:514
+
+If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.SRG-OS-000002-GPOS-00002<GroupDescription></GroupDescription>SLES-15-020000The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
+
+Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
+
+If temporary accounts are used, the SUSE operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000016In the event temporary accounts are required, configure the SUSE operating system to terminate them after "72" hours.
+
+For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" with the appropriate value:
+
+> sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name
+
+`date -d "+3 days" +%Y-%m-%d` sets the 72-hour expiration date for the account at the time the command is run.Verify that the SUSE operating system provisions temporary accounts with an expiration date for "72" hours.
+
+Ask the System Administrator if any temporary accounts have been added to the system. For every existing temporary account, run the following command to obtain its account expiration information:
+
+> sudo chage -l system_account_name
+
+Verify each of these accounts has an expiration date that is within "72" hours of its creation.
+
+If any temporary accounts have no expiration date set or do not expire within "72" hours of their creation, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>SLES-15-020010The SUSE operating system must lock an account after three consecutive invalid access attempts.<VulnDiscussion>By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+
+The pam_tally2.so module maintains a count of attempted accesses. This includes user name entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service.
+
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000044CCI-002238Configure the operating system to lock an account when three unsuccessful access attempts occur.
+
+Modify the first line of the auth section "/etc/pam.d/common-auth" file to match the following lines:
+
+auth required pam_tally2.so onerr=fail silent audit deny=3
+
+Add or modify the following line in the /etc/pam.d/common-account file:
+account required pam_tally2.so
+
+Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement.Verify the SUSE operating system locks a user account after three consecutive failed access attempts until the locked account is released by an administrator.
+
+Check that the system locks a user account after three consecutive failed login attempts using the following command:
+
+> grep pam_tally2.so /etc/pam.d/common-auth
+auth required pam_tally2.so onerr=fail deny=3
+
+If no line is returned or the line is commented out, this is a finding.
+If the line is missing "onerr=fail", this is a finding.
+If the line has "deny" set to a value other than 1, 2, or 3, this is a finding.
+
+Check that the system resets the failed login attempts counter after a successful login using the following command:
+
+> grep pam_tally2.so /etc/pam.d/common-account
+account required pam_tally2.so
+
+If the account option is missing, or commented out, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>SLES-15-020020The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000054Configure the SUSE operating system to limit the number of concurrent sessions to "10" or less for all accounts and/or account types.
+
+Add the following line to the file "/etc/security/limits.conf":
+
+* hard maxlogins 10Verify the SUSE operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command:
+
+> grep "maxlogins" /etc/security/limits.conf
+
+The result must contain the following line:
+
+* hard maxlogins 10
+
+If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>SLES-15-020030The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.
+
+A privileged account is defined as an information system account with authorizations of a privileged user.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+
+Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000187CCI-000765CCI-000766CCI-004046CCI-001953CCI-001954CCI-004047Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM.
+
+Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line:
+
+auth sufficient pam_pkcs11.soVerify the SUSE operating system implements multifactor authentication for remote access to privileged accounts via PAM.
+
+Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command:
+
+> grep pam_pkcs11.so /etc/pam.d/common-auth
+
+auth sufficient pam_pkcs11.so
+
+If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>SLES-15-020040The SUSE operating system must deny direct logons to the root account using remote access via SSH.<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
+
+A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account.
+
+For example, the UNIX and Windows SUSE operating systems offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.
+
+Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication.
+
+Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004045Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH.
+
+Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location):
+
+PermitRootLogin noVerify the SUSE operating system denies direct logons to the root account using remote access via SSH.
+
+Check that SSH denies any user trying to log on directly as root with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'
+
+PermitRootLogin no
+
+If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>SLES-15-020050The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+
+The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003627CCI-003628Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration.
+
+Run the following command to change the configuration for "useradd" to disable the account identifier after 35 days:
+
+> sudo useradd -D -f 35
+
+DOD recommendation is 35 days, but a lower value greater than "0" is acceptable.Verify the SUSE operating system disables account identifiers after 35 days of inactivity since the password expiration.
+
+Check the account inactivity value by performing the following command:
+
+> sudo grep -i '^inactive' /etc/default/useradd
+
+INACTIVE=35
+
+If no output is produced, or if "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-15-020060The SUSE operating system must never automatically remove or disable emergency administrator accounts.<VulnDiscussion>Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
+
+Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.
+
+To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001682Configure the SUSE operating system to never automatically remove or disable emergency administrator accounts.
+
+Replace "[Emergency_Administrator]" in the following command with the correct emergency administrator account. Run the following command as an administrator:
+
+> sudo chage -I -1 -M 99999 [Emergency_Administrator]Verify the SUSE operating system is configured such that emergency administrator accounts are never automatically removed or disabled.
+
+Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account.
+
+Check to see if the root account password or account expires with the following command:
+
+> sudo chage -l [Emergency_Administrator]
+
+Password expires:never
+
+If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020080The SUSE operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login".
+
+Add the following line to the top of "/etc/pam.d/login":
+
+session required pam_lastlog.so showfailedVerify the SUSE operating system users are provided with feedback on when account accesses last occurred.
+
+Check that "pam_lastlog" is used and not silent with the following command:
+
+> grep pam_lastlog /etc/pam.d/login
+
+session required pam_lastlog.so showfailed
+
+If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020090The SUSE operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account.
+
+Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions.
+
+Document all authorized accounts on the system.Verify all SUSE operating system accounts are assigned to an active system, application, or user account.
+
+Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
+
+Check the system accounts on the system with the following command:
+
+> more /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+...
+games:x:12:100:Games account:/var/games:/bin/bash
+
+Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions.
+
+If the accounts on the system do not match the provided documentation, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020091The SUSE operating system must not have unnecessary account capabilities.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non interactive accounts should not have an interactive shell assigned to them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them.
+
+Run the following command to disable the interactive shell for a specific non-interactive user account:
+
+> sudo usermod --shell /sbin/nologin nobodyVerify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them.
+
+Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
+
+Check the system accounts on the system with the following command:
+
+> awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd
+root:0:/bin/bash
+nobody:65534:/bin/bash
+
+If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020100The SUSE operating system root account must be the only account with unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0".
+
+If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Verify that the SUSE operating system root account is the only account with unrestricted access to the system.
+
+Check the system for duplicate UID "0" assignments with the following command:
+
+> awk -F: '$3 == 0 {print $1}' /etc/passwd
+
+root
+
+If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020101The SUSE operating system must restrict privilege elevation to authorized personnel.<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Remove the following entries from the sudoers file:
+ALL ALL=(ALL) ALL
+ALL ALL=(ALL:ALL) ALLVerify the "sudoers" file restricts sudo access to authorized personnel.
+> sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
+
+If the either of the following entries are returned, this is a finding:
+ALL ALL=(ALL) ALL
+ALL ALL=(ALL:ALL) ALLSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020102The SUSE operating system must require reauthentication when using the "sudo" command.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command.
+
+If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the "sudo" command to require reauthentication.
+Edit the /etc/sudoers file:
+
+> sudo visudo
+
+Add or modify the following line:
+
+Defaults timestamp_timeout=[value]
+
+Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
+
+> sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d
+/etc/sudoers:Defaults timestamp_timeout=0
+
+If conflicting results are returned, this is a finding.
+
+If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020103The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
+For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
+
+Defaults !targetpw
+Defaults !rootpw
+Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
+
+> sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'
+
+/etc/sudoers:Defaults !targetpw
+/etc/sudoers:Defaults !rootpw
+/etc/sudoers:Defaults !runaspw
+
+If conflicting results are returned, this is a finding.
+If "Defaults !targetpw" is not defined, this is a finding.
+If "Defaults !rootpw" is not defined, this is a finding.
+If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020110All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
+
+CREATE_HOME yesVerify all SUSE operating system local interactive users on the system are assigned a home directory upon creation.
+
+Check to see if the system is configured to create home directories for local interactive users with the following command:
+
+> grep -i create_home /etc/login.defs
+CREATE_HOME yes
+
+If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020120The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred.
+
+Add or edit the following lines in the "/etc/ssh/sshd_config" file:
+
+PrintLastLog yesVerify all remote connections via SSH to the SUSE operating system display feedback on when account accesses last occurred.
+
+Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog'
+
+PrintLastLog yes
+
+If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>SLES-15-020130The SUSE operating system must enforce passwords that contain at least one uppercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one uppercase character.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring at least one uppercase character.
+
+Check that the operating system enforces password complexity by requiring that at least one uppercase character be used by using the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so ucredit=-1
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>SLES-15-020140The SUSE operating system must enforce passwords that contain at least one lowercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one lowercase character.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one lowercase character.
+
+Check that the operating system enforces password complexity by requiring that at least one lowercase character be used by using the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so lcredit=-1
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>SLES-15-020150The SUSE operating system must enforce passwords that contain at least one numeric character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character.
+
+Check that the operating system enforces password complexity by requiring that at least one numeric character be used by using the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so dcredit=-1
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>SLES-15-020160The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.<VulnDiscussion>If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command:
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.Verify the SUSE operating system requires at least eight characters be changed between the old and new passwords during a password change.
+
+Check that the operating system requires at least eight characters be changed between the old and new passwords during a password change by running the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so difok=8
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020170The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option.Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.
+
+Check that PAM is configured to create SHA512 hashed passwords by running the following command:
+
+> grep pam_unix.so /etc/pam.d/common-password
+password required pam_unix.so sha512
+
+If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020180The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
+
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash.
+
+Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512".
+
+ENCRYPT_METHOD SHA512
+
+Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.Verify the SUSE operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash.
+
+Check that the interactive user account passwords are using a strong password hash with the following command:
+
+> sudo cut -d: -f2 /etc/shadow
+
+$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
+
+Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated.
+
+If any interactive user password hash does not begin with "$6", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020190The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
+
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash.
+
+Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
+
+SHA_CRYPT_MIN_ROUNDS 5000Verify the SUSE operating system configures the shadow password suite configuration to encrypt passwords using a strong cryptographic hash.
+
+Check that a minimum number of hash rounds is configured by running the following command:
+
+> egrep "^SHA_CRYPT_" /etc/login.defs
+
+If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.
+
+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020200The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age.
+
+Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days:
+
+PASS_MIN_DAYS [DAYS]
+
+The DOD requirement is "1" but a greater value is acceptable.Verify the SUSE operating system creates or updates passwords with minimum password age of one day or greater.
+
+To check that the SUSE operating system enforces 24 hours/one day as the minimum password age, run the following command:
+
+> grep '^PASS_MIN_DAYS' /etc/login.defs
+
+PASS_MIN_DAYS 1
+
+If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020210The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts.
+
+Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed:
+
+> sudo passwd -n 1 [USER]Verify the SUSE operating system enforces a minimum time period between password changes for each user account of one day or greater.
+
+Check the minimum time period between password changes for each user account with the following command:
+
+> sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow
+
+smithj:1
+
+If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020220The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a maximum password age of 60 days or less.
+
+Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days:
+
+PASS_MAX_DAYS [DAYS]
+
+The DOD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).Verify that the SUSE operating system is configured to create or update passwords with a maximum password age of 60 days or less.
+
+Check that the SUSE operating system enforces 60 days or less as the maximum password age with the following command:
+
+> grep '^PASS_MAX_DAYS' /etc/login.defs
+
+The DOD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately).
+
+If no output is produced, or if "PASS_MAX_DAYS" is not set to "60" days or less, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020230The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance:
+
+> sudo passwd -x 60 [USER]
+
+The DOD requirement is 60 days.Verify that the SUSE operating system enforces a maximum user password age of 60 days or less.
+
+Check that the SUSE operating system enforces 60 days or less as the maximum user password age with the following command:
+
+> sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow
+
+If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>SLES-15-020260The SUSE operating system must employ passwords with a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a minimum 15-character password length.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column.
+
+The DOD standard requires a minimum 15-character password length.Verify the SUSE operating system enforces a minimum 15-character password length.
+
+Check that the operating system enforces a minimum 15-character password length with the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so minlen=15
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>SLES-15-020270The SUSE operating system must enforce passwords that contain at least one special character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one special character.
+
+Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring at least one special character.
+
+Check that the operating system enforces password complexity by requiring at least one special character using the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so ocredit=-1
+
+If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ocredit=-1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>SLES-15-020290The SUSE operating system must prevent the use of dictionary words for passwords.<VulnDiscussion>If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to prevent the use of dictionary words for passwords.
+
+Edit "/etc/pam.d/common-password" and add the following line:
+
+password requisite pam_cracklib.soVerify the SUSE operating system prevents the use of dictionary words for passwords.
+
+Check that the SUSE operating system prevents the use of dictionary words for passwords with the following command:
+
+> grep pam_cracklib.so /etc/pam.d/common-password
+password requisite pam_cracklib.so
+
+If the command does not return anything, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020300The SUSE operating system must not be configured to allow blank or null passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not allow blank or null passwords.
+
+Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.Verify the SUSE operating system is not configured to allow blank or null passwords.
+
+Check that blank or null passwords cannot be used by running the following command:
+
+> grep pam_unix.so /etc/pam.d/* | grep nullok
+
+If this produces any output, it may be possible to log on with accounts with empty passwords.
+
+If null passwords can be used, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030000The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000015CCI-000018CCI-000172CCI-001403CCI-002130Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/passwd -p wa -k account_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when all modifications occur to the "/etc/passwd" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/passwd'
+
+-w /etc/passwd -p wa -k account_mod
+
+If the command does not return a line, this is a finding.
+
+Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030010The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/group -p wa -k account_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when modifications occur to the "/etc/group" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/group'
+
+-w /etc/group -p wa -k account_mod
+
+If the command does not return a line, this is a finding.
+
+Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030020The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/shadow -p wa -k account_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when modifications occur to the "/etc/shadow" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/shadow'
+
+-w /etc/shadow -p wa -k account_mod
+
+If the command does not return a line, this is a finding.
+
+Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030030The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/security/opasswd -p wa -k account_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when modifications occur to the "/etc/security/opasswd" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/security/opasswd'
+
+-w /etc/security/opasswd -p wa -k account_mod
+
+If the command does not return a line, this is a finding.
+
+Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030040The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.
+
+To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
+
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /etc/gshadow -p wa -k account_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when all modifications occur to the "/etc/gshadow" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/gshadow'
+
+-w /etc/gshadow -p wa -k account_mod
+
+If the command does not return a line, this is a finding.
+
+Notes:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030050SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000135CCI-000154CCI-000158CCI-001464CCI-001487CCI-001876CCI-002884Enable the SUSE operating system auditd service by performing the following commands:
+
+> sudo systemctl enable auditd.service
+> sudo systemctl start auditd.serviceVerify the SUSE operating system produces audit records.
+
+Check that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service:
+
+> systemctl is-active auditd.service
+active
+
+> systemctl is-enabled auditd.service
+enabled
+
+If the service is not active or not enabled, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030060The SUSE operating system must generate audit records for all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "ssh-keysign" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "ssh-keysign" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign'
+
+-a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-keysign
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030070The SUSE operating system must generate audit records for all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "passwd" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "passwd" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/passwd'
+
+-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030080The SUSE operating system must generate audit records for all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "gpasswd" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "gpasswd" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/gpasswd'
+
+-a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030090The SUSE operating system must generate audit records for all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "newgrp" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "newgrp" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/newgrp'
+
+-a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-newgrp
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030100The SUSE operating system must generate audit records for a uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chsh" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chsh" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chsh'
+
+-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chsh
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030110The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd
+-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "unix_chkpwd" or "unix2_chkpwd" commands.
+
+Check that the commands are being audited by performing the following command:
+
+> sudo auditctl -l | egrep -w "(unix_chkpwd|unix2_chkpwd)"
+
+-a always,exit -S all -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-chkpwd
+-a always,exit -S all -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix2-chkpwd
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030120The SUSE operating system must generate audit records for all uses of the chage command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chage" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "chage" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chage'
+
+-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030130The SUSE operating system must generate audit records for all uses of the crontab command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "crontab" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/crontab'
+
+-a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030140The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
+
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+
+-w /etc/sudoers -p wa -k privileged-actions
+
+-w /etc/sudoers.d -p wa -k privileged-actions
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
+
+Check that the file and directory is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/etc/sudoers'
+
+-w /etc/sudoers -p wa -k privileged-actions
+-w /etc/sudoers.d -p wa -k privileged-actions
+
+If the commands do not return output that match the examples, this is a finding.
+
+Notes:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030150The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep 'open\|truncate\|creat'
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+
+If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding.
+
+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+
+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030190The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr","removexattr", "fremovexattr", and "lremovexattr" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep xattr
+
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030250The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep chown
+
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030290The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chmod", "fchmod" a,nd "fchmodat" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep chmod
+
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030330The SUSE operating system must generate audit records for all uses of the sudoedit command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "sudoedit" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudoedit
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify an audit record is generated for all uses of the "sudoedit" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/sudoedit'
+
+-a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudoedit
+
+If the command does not return any output or the returned line is commented out, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030340The SUSE operating system must generate audit records for all uses of the chfn command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chfn" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chfn" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chfn'
+
+-a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
+
+If the command does not return any output or the returned line is commented out, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030350The SUSE operating system must generate audit records for all uses of the mount system call.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "mount" system call.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "mount" system call.
+
+Check that the system call is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w 'mount'
+
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount
+
+If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030360The SUSE operating system must generate audit records for all uses of the umount system call.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "umount" and "umount2" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "umount" and "umount2" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep 'umount'
+
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -k privileged-umount
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount
+
+If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030370The SUSE operating system must generate audit records for all uses of the ssh-agent command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "ssh-agent" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "ssh-agent" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/ssh-agent'
+
+-a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-agent
+
+If the command does not return any output or the returned line is commented out, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030380The SUSE operating system must generate audit records for all uses of the insmod command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability:
+
+1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+3) All account creations, modifications, disabling, and terminations; and
+
+4) All kernel module load, unload, and restart actions.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to audit the execution of the module management program "insmod" by adding the following line to "/etc/audit/rules.d/audit.rules":
+
+-w /sbin/insmod -p x -k modules
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system is generates an audit record for all uses of the "insmod" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/sbin/insmod'
+
+-w /sbin/insmod -p x -k modules
+
+If the system is configured to audit the execution of the module management program "insmod", the command will return a line.
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030390The SUSE operating system must generate audit records for all uses of the rmmod command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability:
+
+1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+3) All account creations, modifications, disabling, and terminations; and
+
+4) All kernel module load, unload, and restart actions.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to audit the execution of the module management program "rmmod" by adding the following line to "/etc/audit/rules.d/audit.rules":
+
+-w /sbin/rmmod -p x -k modules
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "rmmod" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/sbin/rmmod'
+
+-w /sbin/rmmod -p x -k modules
+
+If the system is configured to audit the execution of the module management program "rmmod", the command will return a line.
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030400The SUSE operating system must generate audit records for all uses of the modprobe command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability:
+
+1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+3) All account creations, modifications, disabling, and terminations; and
+
+4) All kernel module load, unload, and restart actions.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to audit the execution of the module management program "modprobe" by adding the following line to "/etc/audit/rules.d/audit.rules":
+
+-w /sbin/modprobe -p x -k modules
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "modprobe" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/sbin/modprobe'
+
+-w /sbin/modprobe -p x -k modules
+
+If the system is configured to audit the execution of the module management program "modprobe", the command will return a line.
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030410The SUSE operating system must generate audit records for all uses of the kmod command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability:
+
+1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;
+
+3) All account creations, modifications, disabling, and terminations; and
+
+4) All kernel module load, unload, and restart actions.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules":
+
+-w /usr/bin/kmod -p x -k modules
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "kmod" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/kmod'
+
+-w /usr/bin/kmod -p x -k modules
+
+If the system is configured to audit the execution of the module management program "kmod", the command will return a line.
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030420The SUSE operating system must generate audit records for all uses of the chmod command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chmod" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chmod'
+
+-a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030430The SUSE operating system must generate audit records for all uses of the setfacl command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "setfacl" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/setfacl'
+
+-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030440The SUSE operating system must generate audit records for all uses of the chacl command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chacl" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chacl'
+
+-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030450The SUSE operating system must generate audit records for all uses of the chcon command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "chcon" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "chcon" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/chcon'
+
+-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030460The SUSE operating system must generate audit records for all uses of the rm command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "rm" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "rm" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/rm'
+
+-a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030470The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/tallylog -p wa -k logins
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when all modifications to the "tallylog" file occur.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/var/log/tallylog'
+
+-w /var/log/tallylog -p wa -k logins
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030480The SUSE operating system must generate audit records for all modifications to the lastlog file.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur.
+
+Add or update the following rule to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/lastlog -p wa -k logins
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record when all modifications to the "lastlog" file occur.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/var/log/lastlog'
+
+-w /var/log/lastlog -p wa -k logins
+
+If the command does not return a line, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030490The SUSE operating system must generate audit records for all uses of the passmass command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "passmass" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/passmass'
+
+-a always,exit -S all -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passmass
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030500The SUSE operating system must generate audit records for all uses of the usermod command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "usermod" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/sbin/usermod'
+
+-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030510The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "pam_timestamp_check" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/sbin/pam_timestamp_check'
+
+-a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
+
+If the command does not return any output, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030520The SUSE operating system must generate audit records for all uses of the delete_module system call.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" system call.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module
+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "delete_module" system call.
+
+Check that the system call is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w 'delete_module'
+
+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module
+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module
+
+If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030530The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "init_module" and "finit_module" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "init_module" and "finit_module" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep init_module
+
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload
+
+If both the "b32" and "b64" audit rules are not defined for the init_module" and "finit_module" syscalls, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030550The SUSE operating system must generate audit records for all uses of the su command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "su" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "su" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/su'
+
+-a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
+
+If the command does not return any output or the returned line is commented out, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-15-030560The SUSE operating system must generate audit records for all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+
+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000130CCI-000169CCI-000172CCI-002884Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command.
+
+Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
+
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any use of the "sudo" command.
+
+Check that the command is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/usr/bin/sudo'
+
+-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudo
+
+If the command does not return any output, or the returned line is commented out, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-15-030570The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000139Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure.
+
+Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
+
+action_mail_acct = rootVerify the administrators are notified in the event of a SUSE operating system audit processing failure by inspecting "/etc/audit/auditd.conf".
+
+Check if the system is configured to send email to an account when it needs to notify an administrator with the following command:
+
+> sudo grep action_mail /etc/audit/auditd.conf
+
+action_mail_acct = root
+
+If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-15-030580The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000139Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure.
+
+Configure an alias value for the postmaster with the following command:
+
+> sudo sh -c 'echo "postmaster: root" >> /etc/aliases'
+
+Configure an alias for root that forwards to a monitored email address with the following command:
+
+> sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases'
+
+The following command must be run to implement changes to the /etc/aliases file:
+
+> sudo newaliasesVerify the administrators are notified in the event of a SUSE operating system audit processing failure by checking that "/etc/aliases" has a defined value for root.
+
+> grep -i "^postmaster:" /etc/aliases
+
+postmaster: root
+
+If the above command does not return a value of "root", or the output is commented out, this is a finding
+
+Verify the alias for root forwards to a monitored e-mail account:
+
+> grep -i "^root:" /etc/aliases
+root: person@server.mil
+
+If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>SLES-15-030590The SUSE operating system audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when the SUSE operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.
+
+When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
+
+1) If the failure was caused by the lack of audit record storage capacity, the SUSE operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.
+
+2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the SUSE operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000140Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern).
+
+Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "SINGLE", or "HALT" depending on configuration) in "/etc/audit/auditd.conf" file:
+
+disk_full_action = HALTVerify the SUSE operating system takes the appropriate action when the audit storage volume is full.
+
+Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:
+
+> sudo grep disk_full_action /etc/audit/auditd.conf
+
+disk_full_action = SYSLOG
+
+If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>SLES-15-030600The SUSE operating system must protect audit rules from unauthorized modification.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000162CCI-000163CCI-000164Configure the SUSE operating system to protect audit rules from unauthorized modification.
+
+Add or update the following rules in "/etc/permissions.local":
+
+/var/log/audit root:root 600
+/var/log/audit/audit.log root:root 600
+/etc/audit/audit.rules root:root 640
+/etc/audit/rules.d/audit.rules root:root 640
+
+Set the correct permissions with the following command:
+
+> sudo chkstat --set /etc/permissions.localVerify that the SUSE operating system protects audit rules from unauthorized modification.
+
+Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+> grep -i audit /etc/permissions.local
+
+/var/log/audit root:root 600
+/var/log/audit/audit.log root:root 600
+/etc/audit/audit.rules root:root 640
+/etc/audit/rules.d/audit.rules root:root 640
+
+If the command does not return any output, this is a finding.
+
+Check that all of the audit information files and folders have the correct permissions with the following command:
+
+> sudo chkstat /etc/permissions.local
+
+If the command returns any output, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>SLES-15-030620The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
+
+SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
+
+Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001493CCI-001494CCI-001495Configure the SUSE operating system audit tools to have proper permissions set in the permissions profile to protect from unauthorized access.
+
+Edit the file "/etc/permissions.local" and insert the following text:
+
+/usr/sbin/audispd root:root 0750
+/usr/sbin/auditctl root:root 0750
+/usr/sbin/auditd root:root 0750
+/usr/sbin/ausearch root:root 0755
+/usr/sbin/aureport root:root 0755
+/usr/sbin/autrace root:root 0750
+/usr/sbin/augenrules root:root 0750
+
+Set the correct permissions with the following command:
+
+> sudo chkstat --set /etc/permissions.localVerify that the SUSE operating system audit tools have the proper permissions configured in the permissions profile to protect from unauthorized access.
+
+Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+> grep "^/usr/sbin/au" /etc/permissions.local
+
+/usr/sbin/audispd root:root 0750
+/usr/sbin/auditctl root:root 0750
+/usr/sbin/auditd root:root 0750
+/usr/sbin/ausearch root:root 0755
+/usr/sbin/aureport root:root 0755
+/usr/sbin/autrace root:root 0750
+/usr/sbin/augenrules root:root 0750
+
+If the command does not return any output, this is a finding.
+
+Check that all of the audit information files and folders have the correct permissions with the following command:
+
+> sudo chkstat /etc/permissions.local
+
+If the command returns any output, this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>SLES-15-030630The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
+
+It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.
+
+To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001496Configure the SUSE operating system file integrity tool to protect the integrity of the audit tools.
+
+Add or update the following lines to "/etc/aide.conf" to protect the integrity of the audit tools:
+
+# audit tools
+/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools.
+
+Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command:
+
+> sudo grep /usr/sbin/au /etc/aide.conf
+
+/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+
+If AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command.
+
+If one or more lines are missing, or is commented out, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>SLES-15-030640The SUSE operating system must generate audit records for all uses of the privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
+
+Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914CCI-002234Configure the SUSE operating system to generate an audit record for any privileged use of the "execve" system call.
+
+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for any privileged use of the "execve" system call.
+
+> sudo auditctl -l | grep -w 'execve'
+
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+
+If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
+
+If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
+
+Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000337-GPOS-00129<GroupDescription></GroupDescription>SLES-15-030650The SUSE operating system must have the auditing package installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system.
+
+Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it:
+
+> sudo zypper in auditVerify the SUSE operating system auditing package is installed.
+
+Check that the "audit" package is installed by performing the following command:
+
+> zypper info audit | grep Installed
+
+i | audit | User Space Tools for 2.6 Kernel Auditing
+
+If the package "audit" is not installed on the system, then this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>SLES-15-030660The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity.
+
+The task of allocating audit record storage capacity is usually performed during initial installation of the SUSE operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001849Allocate enough storage capacity for at least one week of SUSE operating system audit records when audit records are not immediately sent to a central audit record storage facility.
+
+If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records.
+
+If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.Verify the SUSE operating system allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
+
+Determine to which partition the audit records are being written with the following command:
+
+> sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command:
+
+> df -h /var/log/audit/
+/dev/sda2 24G 10.4G 13.6G 43% /var
+
+If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:
+
+> sudo du -sh [audit_partition]
+1.8G /var/log/audit
+
+The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient.
+
+If the audit record partition is not allocated sufficient storage capacity, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030670The audit-audispd-plugins must be installed on the SUSE operating system.<VulnDiscussion>The audit-audispd-plugins must be installed on the SUSE operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command:
+
+> sudo zypper install audit-audispd-plugins
+
+In "/etc/audisp/plugins.d/au-remote.conf", change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.Verify that the "audit-audispd-plugins" package is installed on the SUSE operating system.
+
+Check that the "audit-audispd-plugins" package is installed on the SUSE operating system with the following command:
+
+> zypper info audit-audispd-plugins | grep Installed
+
+If the "audit-audispd-plugins" package is not installed, this is a finding.
+
+Verify the "au-remote" plugin is enabled with the following command:
+
+> sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
+active = yes
+
+If "active" is missing, commented out, or is not set to "yes", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030680The SUSE operating system audit event multiplexor must be configured to use Kerberos.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audisp/audisp-remote.conf" file.
+
+Edit or add the following line to match the text below:
+
+enable_krb5 = yesDetermine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command:
+
+> sudo grep enable_krb5 /etc/audisp/audisp-remote.conf
+enable_krb5 = yes
+
+If "enable_krb5" is not set to "yes", or is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030690Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address:
+
+remote_server = [IP ADDRESS]Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited.
+
+Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command:
+
+> sudo grep remote_server /etc/audisp/audisp-remote.conf
+remote_server = 192.168.1.101
+
+If "remote_server" is not set to an external server or media, or is commented out, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>SLES-15-030700The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001855Check the system configuration to determine the partition to which the audit records are written:
+
+> sudo grep -iw log_file /etc/audit/auditd.conf
+
+Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"):
+
+> df -h /var/log/audit/
+
+Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.Determine if the SUSE operating system auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity.
+
+Check the system configuration to determine the partition to which audit records are written using the following command:
+
+> sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+
+Check the size of the partition to which audit records are written (e.g., "/var/log/audit/"):
+
+> df -h /var/log/audit/
+/dev/sda2 24G 10.4G 13.6G 43% /var
+
+If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), use the following command to determine the amount of space other files in the partition currently occupy:
+
+> sudo du -sh <partition>
+1.8G /var/log/audit
+
+Determine the threshold for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
+
+> sudo grep -iw space_left /etc/audit/auditd.conf
+space_left = 225
+
+If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000468-GPOS-00212<GroupDescription></GroupDescription>SLES-15-030740The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat, and rmdir system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172Configure the SUSE operating system to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod
+
+To reload the rules file, restart the audit daemon:
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.
+
+Check that the system calls are being audited by performing the following command:
+
+> sudo auditctl -l | grep 'unlink\|rename\|rmdir'
+
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod
+
+If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>SLES-15-030760The SUSE operating system must generate audit records for the /run/utmp file.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172Configure the SUSE operating system to generate an audit record for the "/run/utmp" file.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-w /run/utmp -p wa -k login_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for the "/run/utmp" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/run/utmp'
+
+-w /run/utmp -p wa -k login_mod
+
+If the command does not return a line that match the example, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>SLES-15-030770The SUSE operating system must generate audit records for the /var/log/wtmp file.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172Configure the SUSE operating system to generate an audit record for the "/var/log/wtmp" file.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/wtmp -p wa -k login_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for the "/var/log/wtmp" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/var/log/wtmp'
+
+-w /var/log/wtmp -p wa -k login_mod
+
+If the command does not return a line that matches the example, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>SLES-15-030780The SUSE operating system must generate audit records for the /var/log/btmp file.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172Configure the SUSE operating system to generate an audit record for the "/var/log/btmp" file.
+
+Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+-w /var/log/btmp -p wa -k login_mod
+
+To reload the rules file, restart the audit daemon
+
+> sudo systemctl restart auditd.service
+
+or issue the following command:
+
+> sudo augenrules --loadVerify the SUSE operating system generates an audit record for the "/var/log/btmp" file.
+
+Check that the file is being audited by performing the following command:
+
+> sudo auditctl -l | grep -w '/var/log/btmp'
+
+-w /var/log/btmp -p wa -k login_mod
+
+If the command does not return a line that matches the example, this is a finding.
+
+Note:
+The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030790The SUSE operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure.
+
+Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below:
+
+network_failure_action = syslogVerify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited.
+
+Check the action that the audit system takes in the event of a network failure with the following command:
+
+> sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf
+
+network_failure_action = syslog
+
+If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030800Audispd must take appropriate action when the SUSE operating system audit storage is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if the audit storage is full.
+
+Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below:
+
+disk_full_action = syslogVerify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.
+
+Check that the records are properly off-loaded to a remote server with the following command:
+
+> sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf
+disk_full_action = syslog
+
+If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-030810The SUSE operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Migrate the SUSE operating system audit data path onto a separate file system.Verify that the SUSE operating system has a separate file system/partition for the system audit data path.
+
+Check that a file system/partition has been created for the system audit data path with the following command:
+
+Note: "/var/log/audit" is used as the example as it is a common location.
+
+> grep /var/log/audit /etc/fstab
+UUID=3645951a /var/log/audit ext4 defaults 1 2
+
+If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition.
+
+If a separate file system/partition does not exist for the system audit data path, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-030820The SUSE operating system must not disable syscall auditing.<VulnDiscussion>By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file.
+
+The audit daemon must be restarted for the changes to take effect.
+
+> sudo systemctl restart auditd.serviceVerify syscall auditing has not been disabled:
+
+> auditctl -l | grep -i "a task,never"
+
+If any results are returned, this is a finding.
+
+Verify the default rule "-a task,never" is not statically defined :
+
+> grep -rv "^#" /etc/audit/rules.d/ | grep -i "a task,never"
+
+If any results are returned, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-15-040000The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
+
+Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher):
+
+FAIL_DELAY 4Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt.
+
+Check that the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt with the following command:
+
+> grep FAIL_DELAY /etc/login.defs
+FAIL_DELAY 4
+
+If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-15-040010The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
+
+Edit the file "/etc/pam.d/common-auth".
+
+Add a parameter "pam_faildelay" and set it to:
+
+> delay is in micro seconds
+auth required pam_faildelay.so delay=4000000Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt.
+
+> grep pam_faildelay /etc/pam.d/common-auth
+auth required pam_faildelay.so delay=4000000
+
+If the value of "delay" is not set to "4000000", "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040020There must be no .shosts files on the SUSE operating system.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Remove any ".shosts" files found on the SUSE operating system.
+
+> sudo rm /[path]/[to]/[file]/.shostsText: Verify there are no ".shosts" files on the SUSE operating system.
+
+Check the system for the existence of these files with the following command:
+
+> sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -name '.shosts' -print
+
+If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040030There must be no shosts.equiv files on the SUSE operating system.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Remove any "shosts.equiv" files found on the SUSE operating system.
+
+> sudo rm /[path]/[to]/[file]/shosts.equivVerify there are no "shosts.equiv" files on the SUSE operating system.
+
+Check the system for the existence of these files with the following command:
+
+> sudo find /etc -name shosts.equiv
+
+If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040040The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system file integrity tool to check file and directory ACLs.
+
+If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.Verify that the SUSE operating system file integrity tool is configured to verify extended attributes.
+
+If there is no application installed to perform integrity checks, this is a finding.
+
+Check the "/etc/aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.
+
+An example rule that includes the "acl" rule follows:
+
+ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All > apply the custom rule to the files in bin
+ /sbin All > apply the same custom rule to the files in sbin
+
+If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040050The SUSE operating system file integrity tool must be configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system file integrity tool to check file and directory extended attributes.
+
+If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.Verify that the SUSE operating system file integrity tool is configured to verify extended attributes.
+
+If there is no application installed to perform integrity checks, this is a finding.
+
+Check the "/etc/aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.
+
+An example rule that includes the "xattrs" rule follows:
+
+ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All > apply the custom rule to the files in bin
+ /sbin All > apply the same custom rule to the files in sbin
+
+If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040060The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:
+
+> sudo systemctl disable ctrl-alt-del.target
+
+> sudo systemctl mask ctrl-alt-del.target
+
+And reload the daemon to take effect
+
+> sudo systemctl daemon-reloadVerify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+
+Check that the ctrl-alt-del.target is masked with the following command:
+
+> systemctl status ctrl-alt-del.target
+ctrl-alt-del.target
+Loaded: masked (/dev/null; maksed)
+Active: inactive (dead)
+
+If the ctrl-alt-del.target is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040061The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the
+graphical user interface.
+
+Create a database to contain the system-wide setting (if it does not
+already exist) with the following steps:
+
+1. Create a user profile and with the listed content:
+
+/etc/dconf/profile/user
+user-db:user
+system-db:local
+
+2. Create the following directories:
+
+> sudo mkdir -p /etc/dconf/db/local.d/
+> sudo mkdir -p /etc/dconf/db/local.d/locks/
+
+3. Add the following files with the listed content:
+
+/etc/dconf/db/local.d/01-fips-settings
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=['']
+
+/etc/dconf/db/local.d/locks/01-fips-locks
+/org/gnome/settings-daemon/plugins/media-keys/logout
+
+4. Update the dconf database:
+
+> sudo dconf updateNote: If a graphical user interface is not installed, this requirement is Not Applicable.
+
+Verify the SUSE operating system is not configured to reboot the system
+when Ctrl-Alt-Delete is pressed in the graphical user interface.
+
+Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete
+sequence in the graphical user interface with the following command:
+
+Check the default logout key sequence:
+
+> sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout
+['']
+
+Check that the value is not writable and cannot be changed by the user:
+
+> sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout
+false
+
+If the logout value is not [''] and the writable status is not false, this
+is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040062The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file:
+
+CtrlAltDelBurstAction=none
+
+Reload the daemon for this change to take effect
+
+> sudo systemctl daemon-reloadVerify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:
+
+> sudo grep -i ctrl /etc/systemd/system.conf
+
+CtrlAltDelBurstAction=none
+
+If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040070All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned.
+
+Assign a home directory to users via the usermod command:
+
+> sudo usermod -d /home/smithj smithjVerify SUSE operating system local interactive users on the system have a home directory assigned.
+
+Check for missing local interactive user home directories with the following command:
+
+> sudo pwck -r
+user 'smithj': directory '/home/smithj' does not exist
+
+Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:
+
+> awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd
+
+If any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040080All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
+
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd".
+
+> sudo mkdir /home/smithj
+> sudo chown smithj /home/smithj
+> sudo chgrp users /home/smithj
+> sudo chmod 0750 /home/smithjVerify the assigned home directory of all SUSE operating system local interactive users on the system exists.
+
+Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
+
+> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd
+
+smithj /home/smithj
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+Check that all referenced home directories exist with the following command:
+
+> sudo pwck -r
+
+user 'smithj': directory '/home/smithj' does not exist
+
+If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040090All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Change the mode of SUSE operating system local interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user "smithj".
+
+> sudo chmod 0750 /home/smithjVerify the assigned home directory of all SUSE operating system local interactive users has a mode of "0750" or less permissive.
+
+Check the home directory assignment for all non-privileged users on the system with the following command:
+
+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+
+> ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
+
+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040100All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
+
+> sudo chgrp users /home/smithjVerify the assigned home directory of all SUSE operating system local interactive users is group-owned by that user's primary GID.
+
+Check the home directory assignment for all non-privileged users on the system with the following command:
+
+Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.
+
+> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd)
+250:/home/smithj
+
+Check the user's primary group with the following command:
+
+> grep users /etc/group
+users:x:250:smithj,jonesj,jacksons
+
+If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040110All SUSE operating system local initialization files must have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Set the mode of SUSE operating system local initialization files to "0740" with the following command:
+
+Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+> sudo chmod 0740 /home/smithj/.<INIT_FILE>Verify that all SUSE operating system local initialization files have a mode of "0740" or less permissive.
+
+Check the mode on all SUSE operating system local initialization files with the following command:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
+
+> sudo ls -al /home/smithj/.* | more
+-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
+-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
+-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
+
+If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040120All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Edit the SUSE operating system local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all SUSE operating system local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory.
+
+Check the executable search path statement for all operating system local interactive user initialization files in the user's home directory with the following commands:
+
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
+
+> sudo grep -i path= /home/smithj/.*
+/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
+
+If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040130All SUSE operating system local initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SUSE operating system local initialization scripts with the following command:
+
+> sudo chmod 0755 <file>Verify that SUSE operating system local initialization files do not execute world-writable programs.
+
+Verify that SUSE operating system local initialization files do not
+execute world-writable programs.
+
+Check the system for world-writable files with the following command:
+
+> sudo find / -xdev -perm -002 -type f -exec ls -ld {} \;
+
+For all files listed, check for their presence in the local
+initialization files with the following command:
+
+Note: The example will be for a system that is configured to create
+users' home directories in the "/home" directory.
+
+> sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file> {} \;
+
+If any local initialization files are found to reference world-writable
+files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040140SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users.
+
+Re-mount the filesystems.
+
+> sudo mount -o remount /homeVerify that SUSE operating system file systems that contain user home directories are mounted with the "nosuid" option.
+
+Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command:
+
+> for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r
+/home /dev/mapper/system-home ext4 rw,nosuid,relatime,data=ordered
+
+If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding.
+
+Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040150SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.Verify SUSE operating system file systems used for removable media are mounted with the "nosuid" option.
+
+Check the file systems that are mounted at boot time with the following command:
+
+> more /etc/fstab
+
+UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0
+
+If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040160SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.Verify SUSE operating system file systems that are being NFS exported are mounted with the "nosuid" option.
+
+Find the file system(s) that contain the directories being exported with the following command:
+
+> grep nfs /etc/fstab
+
+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0
+
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040170SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.Verify the SUSE operating system file systems that are being NFS exported are mounted with the "noexec" option.
+
+Find the file system(s) that contain the directories being exported with the following command:
+
+> grep nfs /etc/fstab
+
+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0
+
+If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040180All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.
+
+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Change the group of the SUSE operating system world-writable directories to root with the following command:
+
+> sudo chgrp root <directory>Verify all SUSE operating system world-writable directories are group-owned by root, sys, bin, or an application group.
+
+Check the system for world-writable directories with the following command:
+
+> sudo find / -perm -002 -type d -exec ls -lLd {} \;
+drwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue
+drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm
+drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp
+
+If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040190SUSE operating system kernel core dumps must be disabled unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366If SUSE operating system kernel core dumps are not required, disable the "kdump" service with the following command:
+
+> sudo systemctl disable kdump.service
+
+If kernel core dumps are required, document the need with the ISSO.Verify that SUSE operating system kernel core dumps are disabled unless needed.
+
+Check the status of the "kdump" service with the following command:
+
+> systemctl status kdump.service
+Loaded: not-found (Reason: No such file or directory)
+Active: inactive (dead)
+
+If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
+
+If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040200A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Create a separate file system/partition for SUSE operating system non-privileged local interactive user home directories.
+
+Migrate the non-privileged local interactive user home directories onto the separate file system/partition.Verify that a separate file system/partition has been created for SUSE operating system non-privileged local interactive user home directories.
+
+Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:
+
+> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd
+
+adamsj 1002 /home/adamsj /bin/bash
+jacksonm 1003 /home/jacksonm /bin/bash
+smithj 1001 /home/smithj /bin/bash
+
+The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.
+
+Check that a file system/partition has been created for the non-privileged interactive users with the following command:
+
+Note: The partition of /home is used in the example.
+
+> grep /home /etc/fstab
+UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2
+
+If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040210The SUSE operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Create a separate file system/partition on the SUSE operating system for "/var".
+
+Migrate "/var" onto the separate file system/partition.Verify that the SUSE operating system has a separate file system/partition for "/var".
+
+Check that a file system/partition has been created for "/var" with the following command:
+
+> grep /var /etc/fstab
+UUID=c274f65f /var ext4 noatime,nobarrier 1 2
+
+If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040220The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.<VulnDiscussion>The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command:
+
+> sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'
+
+Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system is configured to not overwrite PAM configuration on package changes.
+
+Check that soft links between PAM configuration files are removed with the following command:
+
+> find /etc/pam.d/ -type l -iname "common-*"
+
+If any results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040230The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system SSH daemon to not allow authentication using "known hosts" authentication.
+
+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
+
+IgnoreUserKnownHosts yesVerify the SUSE operating system SSH daemon is configured to not allow authentication using "known hosts" authentication.
+
+To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'
+
+IgnoreUserKnownHosts yes
+
+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040240The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive.
+
+Note: SSH public key files may be found in other directories on the system depending on the installation.
+
+Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
+
+> sudo chmod 0644 /etc/ssh/ssh_host*key.pubVerify the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive.
+
+Note: SSH public key files may be found in other directories on the system depending on the installation.
+
+The following command will find all SSH public key files on the system:
+
+> find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \;
+
+644 /etc/ssh/ssh_host_rsa_key.pub
+644 /etc/ssh/ssh_host_dsa_key.pub
+644 /etc/ssh/ssh_host_ecdsa_key.pub
+644 /etc/ssh/ssh_host_ed25519_key.pub
+
+If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040250The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0640" with the following command:
+
+ > sudo chmod 0640 /etc/ssh/ssh_host*keyVerify the SUSE operating system SSH daemon private host key files have mode "0640" or less permissive.
+
+The following command will find all SSH private key files on the system:
+
+ > sudo find / -name '*ssh_host*key' -exec ls -lL {} \;
+
+Check the mode of the private host key files under "/etc/ssh" file with the following command:
+
+ > find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \;
+
+ 640 /etc/ssh/ssh_host_rsa_key
+ 640 /etc/ssh/ssh_host_dsa_key
+ 640 /etc/ssh/ssh_host_ecdsa_key
+ 640 /etc/ssh/ssh_host_ed25519_key
+
+If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040260The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files.
+
+Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes":
+
+StrictModes yesVerify the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files.
+
+Check that the SSH daemon performs strict mode checking of home directory configuration files with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes'
+
+StrictModes yes
+
+If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040290The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.
+X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.
+If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users.
+
+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+
+X11Forwarding noDetermine if X11Forwarding is disabled.
+
+Verify the SUSE operating system SSH daemon remote X forwarded connections for interactive users are disabled.
+
+Check that SSH remote X forwarded connections are disabled with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'
+
+X11Forwarding no
+
+If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040300The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4/IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to disable IPv4 source routing by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv4 source-routed packets.
+
+Check the value of the IPv4 accept source route variable with the following command:
+
+> sudo sysctl net.ipv4.conf.all.accept_source_route
+net.ipv4.conf.all.accept_source_route = 0
+
+If the network parameter "ipv4.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040310The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to disable IPv6 source routing by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv6 source-routed packets.
+
+Check the value of the IPv6 accept source route variable with the following command:
+
+> sudo sysctl net.ipv6.conf.all.accept_source_route
+net.ipv6.conf.all.accept_source_route = 0
+
+If the network parameter "ipv6.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040320The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to disable IPv4 default source routing by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv4 source-routed packets by default.
+
+Check the value of the default IPv4 accept source route variable with the following command:
+
+> sudo sysctl net.ipv4.conf.default.accept_source_route
+net.ipv4.conf.default.accept_source_route = 0
+
+If the network parameter "ipv4.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040321The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv6 source-routed packets by default.
+
+Check the value of the default IPv6 accept source route variable with the following command:
+
+> sudo sysctl net.ipv6.conf.default.accept_source_route
+net.ipv6.conf.default.accept_source_route = 0
+
+If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040330The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv4 ICMP redirect messages.
+
+Check the value of the IPv4 accept_redirects variable with the following command:
+
+> sudo sysctl net.ipv4.conf.all.accept_redirects
+net.ipv4.conf.all.accept_redirects =0
+
+If the network parameter "ipv4.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040340The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv4 ICMP redirect messages by default.
+
+Check the value of the default IPv4 accept_redirects variable with the following command:
+
+> sudo sysctl net.ipv4.conf.default.accept_redirects
+net.ipv4.conf.default.accept_redirects = 0
+
+If the network parameter "ipv4.conf.default.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040341The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not accept IPv6 ICMP redirect messages.
+
+Check the value of the IPv6 accept_redirects variable with the following command:
+
+> sudo sysctl net.ipv6.conf.all.accept_redirects
+net.ipv6.conf.all.accept_redirects =0
+
+If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040350The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not allow IPv6 ICMP redirect messages by default.
+
+Check the value of the default IPv6 accept_redirects variable with the following command:
+
+> sudo sysctl net.ipv6.conf.default.accept_redirects
+net.ipv6.conf.default.accept_redirects = 0
+
+If the network parameter "ipv6.conf.default.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040360The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.default.send_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not allow interfaces to perform IPv4 ICMP redirects by default.
+
+Check the value of the default IPv4 send_redirects variable with the following command:
+
+> sudo sysctl net.ipv4.conf.default.send_redirects
+net.ipv4.conf.default.send_redirects = 0
+
+If the network parameter "ipv4.conf.default.send_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040370The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.conf.all.send_redirects=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system does not allow interfaces to perform IPv4 ICMP redirects.
+
+Check the value of the IPv4 send_redirects variable with the following command:
+
+> sudo sysctl net.ipv4.conf.all.send_redirects
+net.ipv4.conf.all.send_redirects = 0
+
+If the network parameter "ipv4.conf.all.send_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040380The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv4.ip_forward=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system is not performing IPv4 packet forwarding, unless the system is a router.
+
+Check to see if IPv4 forwarding is disabled using the following command:
+
+> sudo sysctl net.ipv4.ip_forward
+net.ipv4.ip_forward = 0
+
+If the network parameter "ipv4.ip_forward" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040381The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.all.forwarding=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system is not performing IPv6 packet forwarding, unless the system is a router.
+
+Check to see if IPv6 forwarding is enabled using the following command:
+
+> sudo sysctl net.ipv6.conf.all.forwarding
+net.ipv6.conf.all.forwarding = 0
+
+If the network parameter "ipv6.conf.all.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040382The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator:
+
+> sudo sysctl -w net.ipv6.conf.default.forwarding=0
+
+If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":
+
+> sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf'
+
+> sudo sysctl --systemVerify the SUSE operating system is not performing IPv6 packet forwarding by default, unless the system is a router.
+
+Check to see if IPv6 forwarding is disabled by default using the following command:
+
+> sudo sysctl net.ipv6.conf.default.forwarding
+net.ipv6.conf.default.forwarding = 0
+
+If the network parameter "ipv6.conf.default.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040390The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
+
+If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
+
+Set the promiscuous mode of an interface to off with the following command:
+
+> sudo ip link set dev <devicename> promisc offVerify the SUSE operating system network interfaces are not in promiscuous mode unless approved by the ISSO and documented.
+
+Check for the status with the following command:
+
+> ip link | grep -i promisc
+
+If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040400All SUSE operating system files and directories must have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Either remove all files and directories from the SUSE operating system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
+
+> sudo chown <user> <file>Verify that all SUSE operating system files and directories on the system have a valid owner.
+
+Check the owner of all files and directories with the following command:
+
+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
+
+> sudo find / -fstype xfs -nouser
+
+If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040410All SUSE operating system files and directories must have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Either remove all files and directories from the SUSE operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
+
+> sudo chgrp <group> <file>Verify all SUSE operating system files and directories on the system have a valid group.
+
+Check the owner of all files and directories with the following command:
+
+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
+
+> sudo find / -fstype xfs -nogroup
+
+If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>SLES-15-040420The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files.
+
+Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below:
+
+UMASK 077Verify the SUSE operating system defines default permissions for all authenticated users in such a way that the users can only read and modify their own files.
+
+Check the system default permissions with the following command:
+
+> grep -i "^umask" /etc/login.defs
+
+UMASK 077
+
+If the "UMASK" variable is set to "000", the severity is raised to a CAT I, and this is a finding.
+
+If the value of "UMASK" is not set to "077", or "UMASK" is missing, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-15-040430The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Note: If a graphical user interface is not installed, this requirement is Not Applicable.
+
+Configure the SUSE operating system GUI to not allow unattended or automatic logon to the system.
+
+Add or edit the following lines in the "/etc/sysconfig/displaymanager"
+configuration file:
+
+DISPLAYMANAGER_AUTOLOGIN=""
+DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"Note: If a graphical user interface is not installed, this requirement is Not Applicable.
+
+Verify the SUSE operating system does not allow unattended or automatic logon via the GUI.
+
+Check that unattended or automatic login is disabled with the following commands:
+
+> grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager
+
+DISPLAYMANAGER_AUTOLOGIN=""
+
+> grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager
+
+DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
+
+If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the
+"DISPLAYMANAGER_PASSWORD_LESS_LOGIN"
+If parameter is not set to "no", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-15-040440The SUSE operating system must not allow unattended or automatic logon via SSH.<VulnDiscussion>Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system disables unattended or automatic logon via SSH.
+
+Add or edit the following lines in the "/etc/ssh/sshd_config" file:
+
+PermitEmptyPasswords no
+PermitUserEnvironment noVerify the SUSE operating system disables unattended or automatic logon via SSH.
+
+Check that unattended or automatic logon via SSH is disabled with the following command:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iEH '^\s*(permit(.*?)(passwords|environment))'
+
+PermitEmptyPasswords no
+PermitUserEnvironment no
+
+If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are missing completely, or are commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020099The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
+
+It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.
+
+Edit the /etc/sudoers file with the following command:
+
+> sudo visudo
+
+Add or modify the following line:
+@includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.
+
+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
+
+> sudo grep include /etc/sudoers
+
+@includedir /etc/sudoers.d
+
+If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.
+
+Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:
+
+> sudo grep -r include /etc/sudoers.d
+
+If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020104The SUSE operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
+
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the operating system to require users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/ pam.d/sudo" file with the following command:
+
+$ sudo vi /etc/pam.d/sudo
+
+Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation.
+
+Check the configuration of the "/etc/pam.d/sudo" file with the following command:
+
+$ sudo grep pam_succeed_if /etc/pam.d/sudo
+
+If any occurrences of "pam_succeed_if" are returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020181The SUSE operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands:
+
+Perform a password reset:
+$ sudo passwd [username]
+Lock an account:
+$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command:
+
+$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+
+If the command returns any results, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>SLES-15-040450The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.
+
+The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config":
+
+ KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+Restart the "sshd" service for changes to take effect:
+
+ $ sudo systemctl restart sshdVerify the SSH server is configured to use only FIPS-validated key exchange algorithms:
+
+> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms'
+
+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+
+If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001090Configure the operating system to restrict access to the kernel message buffer.
+
+Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:
+
+ kernel.dmesg_restrict = 1
+
+Remove any configurations that conflict with the above from the following locations:
+ /run/sysctl.d/
+ /etc/sysctl.d/
+ /usr/local/lib/sysctl.d/
+ /usr/lib/sysctl.d/
+ /lib/sysctl.d/
+ /etc/sysctl.conf
+
+Reload settings from all system configuration files with the following command:
+
+ $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands:
+
+ $ sudo sysctl kernel.dmesg_restrict
+ kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
+
+Check that the configuration files are present to enable this kernel parameter:
+
+ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
+ /etc/sysctl.conf:kernel.dmesg_restrict = 1
+ /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1
+
+If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
+
+If conflicting results are returned, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-15-010419The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to the SUSE operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-002696Install AIDE, initialize it, and perform a manual check.
+
+Install AIDE:
+ $ sudo zipper in aide
+
+Initialize it (this may take a few minutes):
+ $ sudo aide -i
+
+The new database will need to be renamed to be read by AIDE:
+ $ sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+Perform a manual check:
+ $ sudo aide --check
+
+Example output:
+ Summary:
+ Total number of files: 140621
+ Added files: 1
+ Removed files: 1
+ Changed files: 0
+
+Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.
+
+Check that the AIDE package is installed with the following command:
+ $ sudo zypper if aide | grep "Installed"
+ Installed: Yes
+
+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
+
+If there is no application installed to perform integrity checks, this is a finding.
+
+If AIDE is installed, check if it has been initialized with the following command:
+ $ sudo aide --check
+
+If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-15-020061The SUSE operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors.
+
+Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.
+
+The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command:
+
+ > sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours.
+
+For every existing temporary account, run the following command to obtain its account expiration information:
+
+ > sudo chage -l <temporary_account_name> | grep -i "account expires"
+
+Verify each of these accounts has an expiration date set within 72 hours.
+If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-15-010418The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+
+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001744Install the "mailx" package on the system:
+
+ > sudo zypper install mailxVerify that the operating system is configured to allow sending email notifications.
+
+Note: The "mailx" package provides the "mail" command that is used to send email messages.
+
+Verify that the "mailx" package is installed on the system:
+
+ > sudo zypper se mailx
+
+ i | mailx | A MIME-Capable Implementation of the mailx Command | package
+
+If "mailx" package is not installed, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_VPN_SRG_V3R1_Manual-xccdf.xml b/benchmarks/DISA/U_VPN_SRG_V3R1_Manual-xccdf.xml
new file mode 100644
index 000000000..09848b9bb
--- /dev/null
+++ b/benchmarks/DISA/U_VPN_SRG_V3R1_Manual-xccdf.xml
@@ -0,0 +1,579 @@
+acceptedVirtual Private Network (VPN) Security Requirements GuideThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Jul 20243.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000019<GroupDescription></GroupDescription>SRG-NET-000019-VPN-000040The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.<VulnDiscussion>Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.
+
+VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97041SV-106179CCI-001414Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).
+
+Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.
+
+If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,SRG-NET-000041<GroupDescription></GroupDescription>SRG-NET-000041-VPN-000110The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+
+"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97043SV-106181CCI-000048Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+"I've read & consent to terms in IS user agreem't."If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.
+
+Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy.
+
+If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.SRG-NET-000042<GroupDescription></GroupDescription>SRG-NET-000042-VPN-000120The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
+
+The banner is usually configured in NDM for client presentation as well as local logon.
+
+To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
+
+This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97045SV-106183CCI-000050Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.
+
+Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.
+
+If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.SRG-NET-000043<GroupDescription></GroupDescription>SRG-NET-000043-VPN-000130The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.
+
+The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+
+"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97047SV-106185CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+
+"I've read & consent to terms in IS user agreem't."
+
+If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.SRG-NET-000053<GroupDescription></GroupDescription>SRG-NET-000053-VPN-000170The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.<VulnDiscussion>VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
+
+The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97051SV-106189CCI-000054Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).
+
+If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.SRG-NET-000062<GroupDescription></GroupDescription>SRG-NET-000062-VPN-000200The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97053SV-106191CCI-000068Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.
+
+If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000210The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.<VulnDiscussion>Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.
+
+Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.
+
+Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97055SV-106193CCI-001453Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.
+
+If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000220The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.<VulnDiscussion>Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions.
+
+The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106195V-97057CCI-001453Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
+
+If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.SRG-NET-000074<GroupDescription></GroupDescription>SRG-NET-000074-VPN-000250The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.<VulnDiscussion>Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106197V-97059CCI-000068Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.
+
+View the IKE options dh-group option.
+
+If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.SRG-NET-000075<GroupDescription></GroupDescription>SRG-NET-000075-VPN-000260If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.<VulnDiscussion>L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are therefore less defended and not as well-known. As stated in DoD IPv6 IA Guidance for MO3 (S4-C7-1), the L2TP tunnels can also carry IP packets that are very difficult to filter because of the additional encapsulation. Hence, it is imperative that L2TP sessions are authenticated prior to transporting traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106363V-97225CCI-000068If the site-to-site VPN implementation uses L2TPv3, configure L2TPv3 sessions to authenticate the traffic before transit.If L2TP communications protocol is not used, this is not applicable.
+
+Verify L2TPv3 sessions are configured to authenticate the traffic before transit. L2TPv3 sessions must be authenticated prior to transporting traffic.
+
+If L2TPv3 sessions do not require authentication, this is a finding.SRG-NET-000077<GroupDescription></GroupDescription>SRG-NET-000077-VPN-000280The VPN Gateway must generate log records containing information to establish what type of events occurred.<VulnDiscussion>Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions). Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the VPN gateway logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106199V-97061CCI-000130Configure the VPN Gateway to generate log records containing information to establish what type of events occurred.Verify the VPN Gateway generates log records containing information to establish what type of events occurred.
+
+If the VPN Gateway does not generate log records containing information to establish what type of events occurred, this is a finding.SRG-NET-000078<GroupDescription></GroupDescription>SRG-NET-000078-VPN-000290The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.<VulnDiscussion>Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
+
+VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions).
+
+Associating event types with detected events in the network audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106201V-97063CCI-000131Configure the VPN Gateway to generate log records containing information to establish when (date and time) the events occurred.Configure the VPN Gateway generates log records containing information to establish when (date and time) the events occurred.
+
+If the VPN Gateway does not generate log records containing information to establish when (date and time) the events occurred, this is a finding.SRG-NET-000079<GroupDescription></GroupDescription>SRG-NET-000079-VPN-000300The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.<VulnDiscussion>Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106203V-97065CCI-001487Configure the VPN Gateway to generate log records containing information that establishes the identity of any individual or process associated with the event.Verify the VPN Gateway generates log records containing information that establishes the identity of any individual or process associated with the event.
+
+If the VPN Gateway does not generate log records containing information that establishes the identity of any individual or process associated with the event, this is a finding.SRG-NET-000088<GroupDescription></GroupDescription>SRG-NET-000088-VPN-000310The VPN Gateway must generate log records containing information to establish where the events occurred.<VulnDiscussion>Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
+
+In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where events occurred, such as VPN gateway components, modules, device identifiers, node names, and functionality.
+
+Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106205V-97067CCI-000132Configure the VPN Gateway to generates log records containing information to establish where the events occurred.Verify the VPN Gateway generates log records containing information to establish where the events occurred.
+
+If the VPN Gateway does not generate log records containing information to establish where the events occurred, this is a finding.SRG-NET-000089<GroupDescription></GroupDescription>SRG-NET-000089-VPN-000330The VPN Gateway must generate log records containing information to establish the source of the events.<VulnDiscussion>Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.
+
+In addition to logging where events occur within the network, the log records must also identify sources of events such as IP addresses, processes, and node or device names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106207V-97069CCI-000133Configure the VPN Gateway to generate log records containing information to establish the source of the events.Verify the VPN Gateway generates log records containing information to establish the source of the events.
+
+If the VPN Gateway does not generate log records containing information to establish the source of the events, this is a finding.SRG-NET-000091<GroupDescription></GroupDescription>SRG-NET-000091-VPN-000350The VPN Gateway must produce log records containing information to establish the outcome of the events.<VulnDiscussion>Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network.
+
+Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the network after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106209V-97071CCI-000134Configure the VPN Gateway to generate log entries containing information to establish the outcome of the events, such as, at a minimum, the success or failure of the client connection attempts.Examine the log configuration on the VPN Gateway or view several alert events on the organization's central audit server. Alternatively, examine the Central Log Server to see if it contains information about success or failure of client connection attempts or other events.
+
+If the traffic log entries do not include the success or failure of connection attempts and other events, this is a finding.SRG-NET-000098<GroupDescription></GroupDescription>SRG-NET-000098-VPN-000370The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.<VulnDiscussion>Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured VPN gateway. Thus, it is imperative that the collected log data from the various VPN gateways, as well as the auditing tools, be secured and can only be accessed by authorized personnel.
+
+This requirement pertains to securing the VPN log as it is stored locally, on the box temporarily, or while being encapsulated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106211V-97073CCI-000162Configure the VPN Gateway to protect log information from unauthorized read access if all or some of this data is stored locally.Verify the VPN Gateway protects log information from unauthorized read access if all or some of this data is stored locally.
+
+If the VPN Gateway does not protect log information from unauthorized read access if all or some of this data is stored locally, this is a finding.SRG-NET-000099<GroupDescription></GroupDescription>SRG-NET-000099-VPN-000380The VPN Gateway log must protect audit information from unauthorized modification when stored locally.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+This requirement pertains to securing the VPN log as it is stored locally, on the box temporarily, or while being encapsulated.
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.
+
+Audit information includes all information (e.g., log records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106213V-97075CCI-000163Configure the VPN Gateway log to protect audit information from unauthorized modification when stored locally. The method used depends on system architecture and design. Examples: ensuring log files receive the proper file system permissions and limiting log data locations.Verify the VPN Gateway log is configured to protect audit information from unauthorized modification when stored locally.
+
+The VPN Gateway log must protect audit information from unauthorized modification when stored locally, this is a finding.SRG-NET-000100<GroupDescription></GroupDescription>SRG-NET-000100-VPN-000390The VPN Gateway must protect audit information from unauthorized deletion when stored locally.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.
+
+Audit information includes all information (e.g., log records, audit settings, and audit reports) needed to successfully audit information system activity.
+
+This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97077SV-106215CCI-000164Configure the VPN Gateway to protect audit information from unauthorized deletion when stored locally. Ensure log files receive the proper file system permissions and limiting log data locations.Verify the VPN Gateway is configured to protect audit information from unauthorized deletion when stored locally.
+
+If the VPN Gateway does not protect audit information from unauthorized deletion when stored locally, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000450The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+
+DoD continually assesses the ports, protocols, and services that can be used for network communications. Some protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The PPSM CAL and vulnerability assessments provide an authoritative source for ports, protocols, and services that are unauthorized or restricted across boundaries on DoD networks.
+
+The VPN Gateway must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97079SV-106217CCI-000382Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration.
+
+View the configured security services.
+
+Compare the services that are enabled, including the port, services, protocols, and functions.
+
+Consult the product knowledge base and configuration guides to determine the commands for disabling each port, protocols, services, or functions that is not in compliance with the PPSM CAL and vulnerability assessments.View the configured security services.
+
+Compare the services that are enabled, including the port, services, protocols, and functions.
+
+If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000460The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+
+Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97081SV-106219CCI-000382Configure the IPsec VPN Gateway to use IKEv2 for IPsec VPN security associations.Verify the IPsec VPN Gateway uses IKEv2 for IPsec VPN security associations.
+
+If the IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000470The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.<VulnDiscussion>The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. Encryption and authentication are both weak.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97083SV-106221CCI-000382Configure the VPN Gateway to prohibit PPTP and L2F.Verify the VPN Gateway is configured to prohibit PPTP and L2F.
+
+If the VPN Gateway does not be configured to prohibit PPTP and L2F, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000480For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.<VulnDiscussion>Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications.
+
+The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise, it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user connects to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop, which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios.
+
+Although the L2TP protocol does not contain encryption capability, it can be operated over IPsec, which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. Because of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario.
+
+In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular:
+
+1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known,
+2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead,
+3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised,
+4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task,
+5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required; therefore bringing it inside does not save resources.
+
+Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97085SV-106223CCI-000382If L2TP is used for encapsulation, configure the VPN Gateway or other network element to block or deny this communications protocol unencrypted L2TP packets across the security boundary and into the private network of the enclave.If L2TP communications protocol is not used, this is not applicable.
+
+Verify the VPN Gateway or another network element (e.g., firewall) is configure to block or deny L2TP packets with a destination address within the private network of the enclave.
+
+If L2TP communications are allowed to cross the security boundary into the private network of the enclave, this is a finding.SRG-NET-000138<GroupDescription></GroupDescription>SRG-NET-000138-VPN-000490The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.
+
+(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+
+(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97087SV-106225CCI-000764Configure the VPN Gateway to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Verify the VPN Gateway is configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
+
+If the VPN Gateway does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.SRG-NET-000140<GroupDescription></GroupDescription>SRG-NET-000140-VPN-000500The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.<VulnDiscussion>To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
+
+Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.
+
+Factors include:
+(i) Something you know (e.g., password/PIN);
+(ii) Something you have (e.g., cryptographic identification device, token); or
+(iii) Something you are (e.g., biometric).
+
+A non-privileged account is any information system account with authorizations of a non-privileged user.
+
+Network access is any access to a network element by a user (or a process acting on behalf of a user) communicating through a network.
+
+The DoD CAC with DoD-approved PKI is an example of multifactor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97089SV-106227CCI-000766Configure the VPN Gateway to use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.Verify the VPN Gateway uses multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
+
+If the VPN Gateway does not use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts, this is a finding.SRG-NET-000145<GroupDescription></GroupDescription>SRG-NET-000145-VPN-000510The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD CAC.
+
+A nonprivileged account is any information system account with authorizations of a nonprivileged user.
+
+Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97091SV-106229CCI-004046Configure the VPN Client to implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Verify the VPN Client implements multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
+
+If the VPN Client does not implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.SRG-NET-000147<GroupDescription></GroupDescription>SRG-NET-000147-VPN-000520The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
+
+An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
+
+A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
+
+Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97093SV-106231CCI-001941Configure the TLS VPN Gateway to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.Verify the TLS VPN Gateway is configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.
+
+If the TLS VPN is not configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts, this is a finding.SRG-NET-000147<GroupDescription></GroupDescription>SRG-NET-000147-VPN-000530The IPsec VPN Gateway must use anti-replay mechanisms for security associations.<VulnDiscussion>Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97095SV-106233CCI-001941Configure the IPsec VPN Gateway to use anti-replay mechanisms for security associations.Verify the IPsec VPN Gateway uses anti-replay mechanisms for security associations.
+
+If the IPsec VPN Gateway does not use anti-replay mechanisms for security associations, this is a finding.SRG-NET-000148<GroupDescription></GroupDescription>SRG-NET-000148-VPN-000540The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.
+
+This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97097SV-106235CCI-000778Configure the VPN Gateway to uniquely identify all network-connected endpoint devices before establishing a connection.Verify the VPN Gateway uniquely identifies all network-connected endpoint devices before establishing a connection.
+
+If the VPN Gateway does not uniquely identify all network-connected endpoint devices before establishing a connection, this is a finding.SRG-NET-000164<GroupDescription></GroupDescription>SRG-NET-000164-VPN-000560The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications.
+
+A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems.
+
+Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria may also violate the trusted channel rule set.
+
+When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.
+
+This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97099SV-106237CCI-000185Configure the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Verify the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
+
+If PKI-based authentication does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.SRG-NET-000165<GroupDescription></GroupDescription>SRG-NET-000165-VPN-000570The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
+
+The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to authenticate to network devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97101SV-106239CCI-000186Configure the site-to-site VPN that uses certificate-based device authentication to use a FIPS-compliant key management process.If PKI-based authentication is not being used for device authentication, this is not applicable.
+
+Verify the site-to-site VPN that uses certificate-based device authentication uses a FIPS-compliant key management process.
+
+If the site-to-site VPN that uses certificate-based device authentication does not use a FIPS-compliant key management process, this is a finding.SRG-NET-000166<GroupDescription></GroupDescription>SRG-NET-000166-VPN-000580The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.<VulnDiscussion>The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106241V-97103CCI-000187Configure the Remote Access VPN Gateway to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.Verify the Remote Access VPN Gateway is configured to use a physically separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
+
+If the Remote Access VPN Gateway does not use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication, this is a finding.SRG-NET-000166<GroupDescription></GroupDescription>SRG-NET-000166-VPN-000590The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g., VPN or ALG. This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106251V-97113CCI-000187Configure the VPN Gateway to map the authenticated identity to the user account for PKI-based authentication.Verify the VPN Gateway maps the authenticated identity to the user account for PKI-based authentication.
+
+If the VPN Gateway does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.SRG-NET-000168<GroupDescription></GroupDescription>SRG-NET-000168-VPN-000600The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106253V-97115CCI-000803Configure the VPN Gateway to use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.Verify the VPN Gateway uses FIPS-validated SHA-2 or higher.
+
+If the VPN Gateway does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification, this is a finding.SRG-NET-000169<GroupDescription></GroupDescription>SRG-NET-000169-VPN-000610The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).<VulnDiscussion>Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides opportunity for intruders to compromise resources within the network infrastructure.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106255V-97117CCI-000804Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
+
+If the VPN Gateway does not uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users), this is a finding.SRG-NET-000205<GroupDescription></GroupDescription>SRG-NET-000205-VPN-000710The VPN Gateway must be configured to route sessions to an IDPS for inspection.<VulnDiscussion>Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.
+
+Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
+
+Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106257V-97119CCI-001097Configure the VPN Gateway to route sessions to an IDPS for inspection.Verify the VPN Gateway routes sessions to an IDPS for inspection.
+
+If the VPN Gateway is not configured to route sessions to an IDPS for inspection, this is a finding.SRG-NET-000213<GroupDescription></GroupDescription>SRG-NET-000213-VPN-000720The VPN Gateway must terminate all network connections associated with a communications session at the end of the session.<VulnDiscussion>Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These “orphaned” sessions use up valuable router resources and can be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keep alive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the TCP keep alive message, the sending router will clear the connection and free resources allocated to the session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106259V-97121CCI-001133Configure the VPN Gateway to terminate all network connections associated with a communications session at the end of the session.Verify the VPN Gateway terminates all network connections associated with a communications session at the end of the session.
+
+If the VPN Gateway does not terminate all network connections associated with a communications session at the end of the session, this is a finding.SRG-NET-000230<GroupDescription></GroupDescription>SRG-NET-000230-VPN-000770The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised.
+
+VPN gateways utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules.
+
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106261V-97123CCI-001184Configure the VPN Gateway to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.Verify the VPN Gateway uses FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
+
+If the VPN Gateway does not use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.SRG-NET-000230<GroupDescription></GroupDescription>SRG-NET-000230-VPN-000780The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-2 for integrity of remote access sessions.
+
+This requirement is applicable to the configuration of IKE Phase 1 and Phase 2.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106263V-97125CCI-001184Configure the IPsec VPN Gateway to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions.Verify the IPsec VPN Gateway uses IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions.
+
+If the IPsec VPN Gateway is not configured to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions, this is a finding.SRG-NET-000231<GroupDescription></GroupDescription>SRG-NET-000231-VPN-000790The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.<VulnDiscussion>Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.
+
+Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the VPN gateway must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
+
+This requirement focuses on communications protection for the application session rather than for the network packet.
+
+This requirement applies only to any VPN gateway that is an intermediary of individual sessions (e.g., proxy, ALG, or SSL VPN). This requirement focuses on communications protection at the application session, versus network packet level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97127SV-106265CCI-001185Configure the VPN Gateway to invalidate session identifiers upon user logoff or other session termination.Verify the VPN Gateway invalidates session identifiers upon user logoff or other session termination.
+
+If the VPN Gateway does not invalidate session identifiers upon user logoff or other session termination, this is a finding.SRG-NET-000233<GroupDescription></GroupDescription>SRG-NET-000233-VPN-000800The VPN Gateway must recognize only system-generated session identifiers.<VulnDiscussion>VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised.
+
+Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
+
+This requirement focuses on communications protection for the application session rather than for the network packet.
+
+This requirement applies to any VPN gateway that is an intermediary of individual sessions (e.g., proxy, ALG, TLS VPN). VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97129SV-106267CCI-001664Configure the VPN Gateway to recognize only system-generated session identifiers.Verify the VPN Gateway recognizes only system-generated session identifiers.
+
+If the VPN Gateway does not recognize only system-generated session identifiers, this is a finding.SRG-NET-000234<GroupDescription></GroupDescription>SRG-NET-000234-VPN-000810The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.<VulnDiscussion>Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97131SV-106269CCI-001188Configure the VPN Gateway to generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.Verify the VPN Gateway generates unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
+
+If the VPN Gateway does not generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm, this is a finding.SRG-NET-000235<GroupDescription></GroupDescription>SRG-NET-000235-VPN-000820The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.<VulnDiscussion>Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VPN gateways that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes.
+
+Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97133SV-106271CCI-001190Configure the VPN Gateway to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.Verify the VPN Gateway is configured to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
+
+If the VPN Gateway does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.SRG-NET-000313<GroupDescription></GroupDescription>SRG-NET-000313-VPN-001050The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.<VulnDiscussion>Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access management difficult at best.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Remote access functionality, such as remote access servers, VPN concentrators, and IDS/IPS devices, must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97135SV-106273CCI-002314Configure the VPN Gateway to be configured to perform an organization-defined action if the audit reveals unauthorized activity.Verify the VPN Gateway is configured to perform an organization-defined action if the audit reveals unauthorized activity.
+
+If the VPN Gateway does not be configured to perform an organization-defined action if the audit reveals unauthorized activity, this is a finding.SRG-NET-000314<GroupDescription></GroupDescription>SRG-NET-000314-VPN-001060The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.<VulnDiscussion>Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped.
+
+Remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.
+
+The remote access functionality (e.g., VPN, ALG, and RAS) may implement features, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97137SV-106275CCI-002322Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
+
+Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP.Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
+
+Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP.
+
+If the VPN Gateway administrator accounts or security policy is not configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed, this is a finding.SRG-NET-000317<GroupDescription></GroupDescription>SRG-NET-000317-VPN-001090The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
+
+AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97139SV-106277CCI-000068Configure the IPsec Gateway to use AES with IKE. The option on the IKE Phase 1 proposal may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.Verify all IKE proposals are set to use the AES encryption algorithm.
+
+View the value of the encryption algorithm for each defined proposal.
+
+If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.SRG-NET-000334<GroupDescription></GroupDescription>SRG-NET-000334-VPN-001260The VPN Gateway must off-load audit records onto a different system or media than the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106285V-97147CCI-001851Configure the VPN Gateway to off-load audit records onto a different system or media than the system being audited.Verify the VPN Gateway off-loads log records onto a different system or media than the system being audited.
+
+If the VPN Gateway does not off-load audit records onto a different system or media than the system being audited, this is a finding.SRG-NET-000335<GroupDescription></GroupDescription>SRG-NET-000335-VPN-001270The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
+
+Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded.
+
+While this requirement also applies to the event monitoring system (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers), the VPN Gateway must also be configured to generate a message to the administrator console.
+
+The VPN daemon facility and log facility are messages in the log, which capture actions performed or errors encountered by system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106287V-97149CCI-001858Configure the VPN Gateway to generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.Verify the VPN Gateway generates a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
+
+If the VPN Gateway does not generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server, this is a finding.SRG-NET-000337<GroupDescription></GroupDescription>SRG-NET-000337-VPN-001290The VPN Gateway must renegotiate the IPsec security association (SA) after eight hours or less.<VulnDiscussion>The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the lifetime of the IPsec SA, the longer the lifetime of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPsec peers to renegotiate Phase II more often, resulting in the expenditure of additional resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106291V-97153CCI-002036Configure the VPN Gateway to renegotiate the IPsec security association after eight hours or less.Verify the VPN Gateway renegotiates the IPsec security association after eight hours or less.SRG-NET-000337<GroupDescription></GroupDescription>SRG-NET-000337-VPN-001300The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less.<VulnDiscussion>When a VPN gateway creates an IPsec SA, resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106293V-97155CCI-002036Configure the VPN Gateway to renegotiate the IKE security association after eight hours or less. Verify the VPN Gateway renegotiates the IKE security association after eight hours or less.
+
+If the VPN Gateway does not renegotiate the IKE security association after eight hours or less, this is a finding.SRG-NET-000341<GroupDescription></GroupDescription>SRG-NET-000341-VPN-001350The VPN Gateway must accept the Common Access Card (CAC) credential.<VulnDiscussion>The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC as the PIV credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97157SV-106295CCI-001953Configure the VPN Gateway to accept the CAC credential.Verify the VPN Gateway accepts PIV credentials.
+
+If the VPN Gateway does not accept the CAC credential, this is a finding.SRG-NET-000342<GroupDescription></GroupDescription>SRG-NET-000342-VPN-001360The VPN Gateway must electronically verify the Common Access Card (CAC) credential.<VulnDiscussion>DoD has mandated the use of the CAC as the Personal Identity Verification (PIV) credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97159SV-106297CCI-001954Configure the VPN Gateway to electronically verify the CAC credential.Verify the VPN Gateway electronically verifies the CAC credential.
+
+If the VPN Gateway does not electronically verify Personal Identity Verification (PIV) credentials, this is a finding.SRG-NET-000343<GroupDescription></GroupDescription>SRG-NET-000343-VPN-001370The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.
+
+This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.
+
+Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106315V-97177CCI-001958Configure the VPN Gateway to authenticate all network-connected endpoint devices before establishing a connection.Verity the VPN Gateway authenticates all network-connected endpoint devices before establishing a connection.
+
+If the VPN Gateway does not authenticate all network-connected endpoint devices before establishing a connection, this is a finding.SRG-NET-000352<GroupDescription></GroupDescription>SRG-NET-000352-VPN-001460The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by NIST and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum resistant algorithms will be required for future required Suite B implementations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106317V-97179CCI-002450Configure the VPN Gateway to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.Verify the VPN Gateway uses an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
+
+If the VPN Gateway does not use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network, this is a finding.SRG-NET-000369<GroupDescription></GroupDescription>SRG-NET-000369-VPN-001620The VPN Gateway must disable split-tunneling for remote clients VPNs.<VulnDiscussion>Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
+
+A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106319V-97181CCI-002397Configure the VPN Gateway to disable split-tunneling for remote clients VPNs.Verify the VPN Gateway disables split-tunneling for remote clients VPNs.
+
+If the VPN Gateway does not disable split-tunneling for remote clients VPNs, this is a finding.SRG-NET-000371<GroupDescription></GroupDescription>SRG-NET-000371-VPN-001640The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.<VulnDiscussion>PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
+
+The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2 rekey can be performed with or without PFS. With PFS, every time a new IPsec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce) from phase 1 for generating a new IPsec session key. If PFS is not used, the IPsec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised.
+
+The DH exchange is performed in the same manner as was done in phase 1 (Main or Aggressive Mode). However, the phase 2 exchange is protected by encrypting the phase 2 packets with the key derived from the phase 1 negotiation. Because DH negotiations during phase 2 are encrypted, the new IPsec session key has an added element of secrecy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106321V-97183CCI-002418Configure the IPsec VPN Gateway to specify PFS during IKE negotiation.Verify the IPsec VPN Gateway specifies PFS during IKE negotiation.
+
+If the IPsec VPN Gateway does not specify PFS during IKE negotiation, this is a finding.SRG-NET-000371<GroupDescription></GroupDescription>SRG-NET-000371-VPN-001650The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered.
+
+This requirement also applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
+
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+For example, configure all ISAKMP policies to use AES for Internet Key Exchange (IKE) cryptographic encryption operations and SHA-2 to protect data integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97185SV-106323CCI-002418Configure the VPN Gateway and the remote access client to protect the confidentiality and integrity of transmitted information.Verify the VPN Gateway and the remote access client are configured to protect the confidentiality and integrity of transmitted information.
+
+If VPN Gateway and Client does not protect the confidentiality and integrity of transmitted information, this is a finding.SRG-NET-000400<GroupDescription></GroupDescription>SRG-NET-000400-VPN-001940For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication.
+
+Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions.
+
+The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption.
+
+Pre-shared key cipher suites may only be used in networks where both the client and server belong to the same organization. Cipher suites using pre-shared keys shall not be used with TLS 1.0 or 1.1 and shall not be used with TLS 1.2 when a Government client or server communicates with non-government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97189SV-106327CCI-000197For accounts using password authentication, configure the VPN Gateway to use SHA-2 or later protocol to protect the integrity of the password authentication process.For accounts using password authentication, verify the VPN Gateway uses SHA-2 or later protocol to protect the integrity of the password authentication process.
+
+For accounts using password authentication, if the VPN Gateway does not use SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.SRG-NET-000492<GroupDescription></GroupDescription>SRG-NET-000492-VPN-001980The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.<VulnDiscussion>Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
+
+Log records can be generated from various components within the information system (e.g., module or policy filter).
+
+This requirement only applies to components where this is specific to the function of the device, such as application layer gateway (ALG), which provides these access control and auditing functions on behalf of an application. This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97191SV-106329CCI-000172Configure the VPN Gateway to generate log records when successful and/or unsuccessful VPN connection attempts occur.Verify the VPN Gateway generates log records when successful and/or unsuccessful VPN connection attempts occur.
+
+If the VPN Gateway does not generate log records when successful and/or unsuccessful VPN connection attempts occur, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002160The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.<VulnDiscussion>FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard.
+
+The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97193SV-106331CCI-002450Configure the VPN Gateway to use a FIPS-validated cryptographic module to generate cryptographic hashes.Verify the VPN Gateway uses a FIPS-validated cryptographic module to generate cryptographic hashes.
+
+If the VPN Gateway does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002170The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.<VulnDiscussion>FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard.
+
+The cryptographic module used must have one FIPS-validated encryption algorithm (i.e., validated Advanced Encryption Standard [AES]). This validated algorithm must be used for encryption for cryptographic security function within the product being evaluated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97195SV-106333CCI-002450Configure the VPN Gateway to use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.Verify the VPN Gateway uses a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
+
+If the VPN Gateway does not use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002180The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97197SV-106335CCI-002450Configure the IPsec VPN Gateway IKE to use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.Verify the IPsec VPN Gateway IKE uses a NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
+
+If the IPsec VPN Gateway IKE does not use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic, this is a finding.SRG-NET-000512<GroupDescription></GroupDescription>SRG-NET-000512-VPN-002220The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).<VulnDiscussion>Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys.
+
+An IPsec SA is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number.
+
+With manual configuration of the IPsec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPsec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA, which could result in a rogue device establishing an IPsec SA with either of the VPN end points.
+
+IKE provides primary authentication to verify the identity of the remote system before negotiation begins. This feature is lost when the IPsec security associations are manually configured, which results in a non-terminating session using static pre-shared keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97199SV-106337CCI-000366Configure the IPsec VPN Gateway to use IKE and IPsec VPN SAs.Verify the IKE protocol is specified for all IPsec VPNs.
+
+If the IKE protocol is not specified as an option on all VPN gateways, this is a finding.SRG-NET-000518<GroupDescription></GroupDescription>SRG-NET-000518-VPN-002280The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
+
+However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions.
+
+This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97203SV-106341CCI-002363Configure the VPN Client logout log out function must be configured to terminate the session on/with the VPN Gateway.Verify the VPN Client logout function is configured to terminate the session on/with the VPN Gateway.
+
+If the VPN Client logout function does not terminate the session on/with the VPN Gateway, this is a finding.SRG-NET-000519<GroupDescription></GroupDescription>SRG-NET-000519-VPN-002290The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
+
+Logout messages for access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions.
+
+This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106343V-97205CCI-002364Configure the VPN Client to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.Verify the VPN Client displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
+
+If the VPN Client does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.SRG-NET-000522<GroupDescription></GroupDescription>SRG-NET-000522-VPN-002320For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).<VulnDiscussion>PSKs need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and must not be used as a replacement for two-factor CAC-enabled authentication.
+
+NIST SP 800-52 Rev 2 provides guidance for using pre-shared keys with VPN gateways. PSKs may only be used in networks where both the client and server belong to the same organization.
+
+PSKs used for site-to-site VPNs are considered by the SRG as a type of password. If this shared secret is already encrypted and not in plaintext, this meets this requirement. This requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security.
+
+Use a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106345V-97207CCI-004062Configure the VPN Gateway to store only cryptographic representations of the PSK.Verify the VPN Gateway stores only cryptographic representations of the PSK.
+
+If the VPN Gateway does not store only cryptographic representations of the PSK, this is a finding.SRG-NET-000525<GroupDescription></GroupDescription>SRG-NET-000525-VPN-002330The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
+
+A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication.
+
+AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106347V-97209CCI-000068Configure the IPsec Gateway to use AES256 or greater for the IPsec proposal.Verify all Internet Key Exchange (IKE) proposals are set to use the AES256 or greater encryption algorithm.
+
+View the value of the encryption algorithm for each defined proposal.
+
+If the value of the encryption algorithm for any IPsec proposal is not set to use an AES256 or greater algorithm, this is a finding.SRG-NET-000530<GroupDescription></GroupDescription>SRG-NET-000530-VPN-002340The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or public-facing servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106349V-97211CCI-001453Configure the TLS VPN Gateway that supports Government-only services to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.Verify the TLS VPN Gateway that supports Government-only services prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
+
+If the TLS VPN Gateway that supports Government-only services does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.SRG-NET-000540<GroupDescription></GroupDescription>SRG-NET-000540-VPN-002350The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+This requirement applies to public-facing or external-facing devices such as TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance.
+
+The minimum TLS version required by DoD is 1.2. However, devices and applications may allow client negotiation for systems supporting citizen- and business-facing applications. These devices may be configured to support TLS version 1.1 and 1.0 to enable interaction with citizens and businesses. These devices must not support SSL version 3.0 or earlier.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106351V-97213CCI-001453Configure the TLS VPN Gateway that supports citizen- or business-facing network devices to prohibit client negotiation to SSL 2.0 or SSL 3.0.Verify the TLS VPN Gateway that supports citizen- or business-facing network devices prohibits client negotiation to SSL 2.0 or SSL 3.0.
+
+If the TLS VPN Gateway that supports citizen- or business-facing network devices does not prohibit client negotiation to SSL 2.0 or SSL 3.0, this is a finding.SRG-NET-000550<GroupDescription></GroupDescription>SRG-NET-000550-VPN-002360The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.<VulnDiscussion>Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+SNMPv3 supports authentication, authorization, access control, and privacy, while previous versions of the protocol contained well-known security weaknesses, which were easily exploited. SNMPv3 can be configured for identification and bidirectional, cryptographically based authentication.
+
+A typical SNMP implementation includes three components: managed device, SNMP agent, and NMS. The SNMP agent is the SNMP process that resides on the managed device and communicates with the network management system. The NMS is a combination of hardware and software that is used to monitor and administer a network. The SNMP data is stored in a highly structured, hierarchical format known as a management information base (MIB). The SNMP manager collects information about network connectivity, activity, and events by polling managed devices.
+
+SNMPv3 defines a user-based security model (USM), and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection.
+
+SNMPv3 server services must not be configured on products whose primary purpose is not to provide SNMP services. SNMP client services may be configured on the VPN gateway, application, or operating system to allow limited monitoring or querying of the device from by an SNMP server for management purposes. SNMP of any version will not be used to make configuration changes to the device. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.
+
+Currently, the AES cipher block algorithm can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption) in DoD. The use of FIPS-approved algorithms for both cryptographic mechanisms is required. If any version of SNMP is used for remote administration, default SNMP community strings such as "public" and "private" should be removed before real community strings are put into place. If the defaults are not removed, an attacker could retrieve real community strings from the device using the default string.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106353V-97215CCI-001967For the VPN Gateway that provides a SNMP NMS, configure SNMPv3 to use FIPS-validated AES cipher block algorithm.Verify the VPN Gateway that provides a SNMP NMS is configured to use SNMPv3 to use FIPS-validated AES cipher block algorithm.
+
+If the VPN Gateway that provides a SNMP NMS does not configure SNMPv3 to use FIPS-validated AES cipher block algorithm, this is a finding.SRG-NET-000565<GroupDescription></GroupDescription>SRG-NET-000565-VPN-002390The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated.
+
+NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106355V-97217CCI-002450Configure the IPsec VPN Gateway to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network.Verify the VPN gateway is configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network.
+
+If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network, this is a finding.SRG-NET-000565<GroupDescription></GroupDescription>SRG-NET-000565-VPN-002400The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated.
+
+NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106357V-97219CCI-002450Configure the IPsec VPN Gateway Internet Key Exchange (IKE) to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network.Verify the VPN gateway IKE Phase 1 and Phase 2 are configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network.
+
+If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network, this is a finding.SRG-NET-000580<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002410The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.<VulnDiscussion>A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.
+
+Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106359V-97221CCI-000185Configure the VPN Gateway to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Verify the VPN Gateway validates TLS certificates by performing RFC 5280-compliant certification path validation.
+
+If the VPN Gateway does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.SRG-NET-000213<GroupDescription></GroupDescription>SRG-NET-000213-VPN-000721The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.<VulnDiscussion>This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
+
+Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must take into consideration the risk to the mission and the purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement.
+
+To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk.
+
+The organization must document the results and the determination of the risk assessment in the VPN section of the SSP. The organization must also configure VPN session terminations in accordance with the risk assessment.
+Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection.
+
+This requirement applies to any network element that tracks individual sessions (e.g., stateful inspection firewall, ALG, or VPN).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001133CCI-000057This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement.
+
+Conduct a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at risk of failure.
+
+Identify the organizations' VPN session termination periodic value based on the risk assessment. Add the results of the risk assessment and the session termination values to the site's SSP documents.
+
+Configure the VPN gateway to periodically terminate all remote network connections in accordance with the values defined in the SSP.This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement.
+
+Review the system security plan. Verify the VPN gateway session termination is configured in accordance with the value specified in the SSP.
+
+If a risk assessment has not been conducted and an organization-defined session termination period is not addressed/documented in the SSP, this is a finding.
+
+If the VPN gateway is not configured to terminate all remote access network connections in accordance with the values defined in the SSP, this is a finding.SRG-NET-000705<GroupDescription></GroupDescription>SRG-NET-000705-VPN-000110The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.<VulnDiscussion>DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004866Configure the VPN Gateway to employ organization-defined controls by type of DoS to achieve the DoS objective.Verify the VPN Gateway is configured to employ organization-defined controls by type of DoS to achieve the DoS objective.
+
+If the VPN Gateway is not configured to employ organization-defined controls by type of DoS to achieve the DoS objective, this is a finding.SRG-NET-000715<GroupDescription></GroupDescription>SRG-NET-000715-VPN-000120The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.<VulnDiscussion>Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004891Configure the VPN Gateway to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Verify the VPN Gateway is configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
+
+If the VPN Gateway is not configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions, this is a finding.SRG-NET-000760<GroupDescription></GroupDescription>SRG-NET-000760-VPN-000160The VPN Gateway must establish organization-defined alternate communications paths for system operations organizational command and control.<VulnDiscussion>An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004931Configure the VPN Gateway to establish organization-defined alternate communications paths for system operations organizational command and control.Verify the VPN Gateway is configured to establish organization-defined alternate communications paths for system operations organizational command and control.
+
+If the VPN Gateway is not configured to establish organization-defined alternate communications paths for system operations organizational command and control, this is a finding.SRG-NET-000345<GroupDescription></GroupDescription>SRG-NET-000345-VPN-002430The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004068If PKI-based user authentication intermediary services are provided, configure the VPN to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.If the VPN does not provide PKI-based user authentication intermediary services, this is not applicable.
+
+Verify the VPN implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
+
+If the VPN does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.
+SRG-NET-000580<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002431The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.<VulnDiscussion>Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. One example is if the certificate is known to have been compromised.
+
+When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004068Configure the VPN Gateway to reject user certificates that have been revoked when using DOD PKI for authentication.Verify the VPN Gateway rejects user certificates that have been revoked when using DOD PKI for authentication.
+
+If the VPN Gateway does not configure OCSP and/or CRL to reject revoked user credentials that are prohibited from establishing an allowed session, this is a finding.
+SRG-NET-000580<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002432The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session.<VulnDiscussion>Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.
+
+When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-004068Configure the VPN Gateway to reject machine certificates that have been revoked when using DOD PKI for authentication.Verify the VPN Gateway rejects machine certificates that have been revoked when using DOD PKI for authentication.
+
+If the VPN Gateway does not configure OCSP and/or CRL to reject revoked machine credentials that are prohibited from establishing an allowed session, this is a finding.
+SRG-NET-000355<GroupDescription></GroupDescription>SRG-NET-000355-VPN-002433The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.<VulnDiscussion>Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
+
+The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE).
+
+This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-002470Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable.
+
+Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions.
+
+Verify both user and machine certificates are being validated when establishing VPN sessions.
+
+If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.SRG-NET-000019<GroupDescription></GroupDescription>SRG-NET-000019-VPN-002435The TLS VPN must be configured to limit authenticated client sessions to initial session source IP.<VulnDiscussion>Limiting authenticated client sessions to the initial session source IP for TLS VPNs is a safeguard against session hijacking, replay, and man-in-the-middle attacks, maintaining integrity and confidentiality of communication between clients and servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001414Configure the TLS VPN Gateway to limit authenticated client sessions to initial session source IP.Verify the TLS VPN Gateway limits authenticated client sessions to initial session source IP.
+
+If the TLS VPN Gateway does not limit authenticated client sessions to initial session source IP, this is a finding.SRG-NET-000230<GroupDescription></GroupDescription>SRG-NET-000230-VPN-002436The VPN Gateway must use Always On VPN connections for remote computing.<VulnDiscussion>Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will simply be disconnected from the internet until the issue is solved.
+
+"Always On" is a term that describes a VPN connection that is secure and always on after the initial connection is established. An Always On VPN deployment establishes a VPN connection with the client without the need for user interaction (e.g., user credentials). The remote client must not be able to access the internet without first establishing a VPN session with a DOD site.
+
+Note that device compliance checks are still required prior to connecting to DOD resources. Although out of scope for this requirement, the connection process must ensure remote devices meet security standards before accessing DOD resources. Devices that fail to meet compliance requirements can be denied access, reducing the risk of compromised endpoints.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001184Configure the VPN Gateway to enable Always On VPN connections for all remote users. The remote client must not be able to access the internet without first establishing a VPN session with a DOD site.Verify that the VPN Gateway uses an Always On VPN connection for remote computing.
+
+If the VPN Gateway does not use an Always On VPN connection for remote computing, this is a finding.
+
\ No newline at end of file
diff --git a/stigs.json b/stigs.json
index b28f3e567..82cbd2334 100644
--- a/stigs.json
+++ b/stigs.json
@@ -24,12 +24,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_A10_Networks_ADC_NDM_STIG_V1R1_Manual-xccdf.xml"
},
{
- "id": "AAA_Services",
- "name": "Authentication, Authorization, and Accounting Services (AAA) SRG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_AAA_Services_V2R1_SRG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_AAA_Services_SRG_V2R1_Manual-xccdf.xml"
+ "id": "AAA_Service_SRG",
+ "name": "Rev. 4 Sunset - Authentication, Authorization, and Accounting Services (AAA) SRG - Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_AAA_Services_V1R2_SRG.zip",
+ "size": "665.83 KB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_AAA_Services_SRG_V1R2_Manual-xccdf.xml"
},
{
"id": "Active_Directory_Domain",
@@ -125,11 +125,11 @@
},
{
"id": "Tomcat_Application_Server_9_STIG",
- "name": "Apache Tomcat Application Server 9 STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apache_Tomcat_Application_Server_9_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Apache Tomcat Application Server 9 STIG - Ver 2, Rel 7",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R7_STIG.zip",
+ "size": "1.94 MB",
+ "version": "V2R7",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apache_Tomcat_Application_Server_9_STIG_V2R7_Manual-xccdf.xml"
},
{
"id": "Apple_iOS_11_STIG",
@@ -140,12 +140,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS_11_STIG_V1R4_Manual-xccdf.xml"
},
{
- "id": "Apple_iOS-iPadOS_16_COBO-COPE_STIG",
- "name": "Apple iOS/iPadOS 16 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_16_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS-iPadOS_16_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Apple_iOS-iPadOS_15_STIG",
+ "name": "Rev. 4 Sunset - Apple iOS/iPadOS 16 STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_16_V1R3_STIG.zip",
+ "size": "2.9 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS-iPadOS_15_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "Apple_macOS_11_STIG",
@@ -159,7 +159,7 @@
"id": "Apple_macOS_12_STIG",
"name": "Sunset - Apple macOS 12 STIG - Ver 1, Rel 9",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_12_V1R9_STIG.zip",
- "size": "\u2014",
+ "size": "1.82 MB",
"version": "V1R9",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_12_STIG_V1R9_Manual-xccdf.xml"
},
@@ -172,28 +172,28 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_OS_X_10-15_STIG_V1R10_Manual-xccdf.xml"
},
{
- "id": "F5_BIG-IP_Application_Security_Manager_11-x_STIG",
- "name": "Application Layer Gateway SRG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Application_Layer_Gateway_V2R1_SRG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_F5_BIG-IP_Application_Security_Manager_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Application_Layer_Gateway_SRG",
+ "name": "Rev. 4 Sunset - Application Layer Gateway (ALG) SRG - Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Application_Layer_Gateway_V1R2_SRG.zip",
+ "size": "579.7 KB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Application_Layer_Gateway_V1R2_Manual-xccdf.xml"
},
{
"id": "Application_Security_Development_STIG",
- "name": "Application Security and Development STIG - Ver 6, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V6R1_STIG.zip",
- "size": "\u2014",
- "version": "V6R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_ASD_STIG_V6R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Application Security and Development STIG - Ver 5, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R3_STIG.zip",
+ "size": "1.31 MB",
+ "version": "V5R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_ASD_STIG_V5R3_Manual-xccdf.xml"
},
{
"id": "Application_Server_SRG",
- "name": "Application Server SRG - Ver 4, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Application_Server_V4R1_SRG.zip",
- "size": "\u2014",
- "version": "V4R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Application_Server_SRG_V4R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Application Server SRG - Ver 3, Rel 4",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Application_Server_V3R4_SRG.zip",
+ "size": "1.24 MB",
+ "version": "V3R4",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Application_Server_SRG_V3R4_Manual-xccdf.xml"
},
{
"id": "29041c8f-a868-4a61-b1ac-994b64e14f7f",
@@ -275,11 +275,11 @@
},
{
"id": "CAN_Ubuntu_18-04_STIG",
- "name": "Canonical Ubuntu 18.04 LTS STIG Benchmark - Ver 2, Rel 11",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_V2R11_STIG_SCAP_1-2_Benchmark.zip",
- "size": "64.51 KB",
- "version": "V2R11",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CAN_Ubuntu_18-04_LTS_STIG_V2R11_Manual-xccdf.xml"
+ "name": "Canonical Ubuntu 18.04 LTS STIG Benchmark - Ver 2, Rel 12",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_V2R12_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "65.89 KB",
+ "version": "V2R12",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CAN_Ubuntu_18-04_LTS_STIG_V2R12_Manual-xccdf.xml"
},
{
"id": "Microsoft_InfoPath_2010",
@@ -319,11 +319,11 @@
},
{
"id": "Central_Log_Server_SRG",
- "name": "Central Log Server SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Central_Log_Server_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Central_Log_Server_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Central Log Server SRG - Ver 2, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Central_Log_Server_V2R2_SRG.zip",
+ "size": "772.14 KB",
+ "version": "V2R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Central_Log_Server_SRG_V2R2_Manual-xccdf.xml"
},
{
"id": "b29f4be0-4843-4bac-9547-ecb6257bcd05",
@@ -360,20 +360,20 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml"
},
{
- "id": "Oracle_HTTP_Server_12-1-3_STIG",
- "name": "Cisco IOS-XE Router NDM STIG Benchmark - Ver 1, Rel 7",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_NDM_V1R7_STIG_SCAP_1-3_Benchmark.zip",
- "size": "15.82 KB",
- "version": "V1R7",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_HTTP_Server_12-1-3_STIG_V1R7_Manual-xccdf.xml"
+ "id": "Cisco_IOS-XE_Router_NDM_STIG",
+ "name": "Cisco IOS-XE Router NDM STIG Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_NDM_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "15.81 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_NDM_STIG_V3R1_Manual-xccdf.xml"
},
{
- "id": "Cisco_IOS_XE_Release_3_RTR_STIG",
- "name": "Cisco IOS-XE Router RTR STIG Benchmark - Ver 1, Rel 3",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_RTR_V1R3_STIG_SCAP_1-3_Benchmark.zip",
- "size": "6.56 KB",
- "version": "V1R3",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Release_3_RTR_STIG_V1R3_Manual-xccdf.xml"
+ "id": "Cisco_IOS-XE_Router_RTR_STIG",
+ "name": "Cisco IOS-XE Router RTR STIG Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_RTR_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "6.55 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_RTR_STIG_V3R1_Manual-xccdf.xml"
},
{
"id": "52b06939-483a-4464-9dc4-596538cf5143",
@@ -433,27 +433,27 @@
},
{
"id": "Container_Platform_SRG",
- "name": "Container Platform SRG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V2R1_SRG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Container_Platform_SRG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Container Platform SRG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R5_SRG.zip",
+ "size": "2.78 MB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Container_Platform_SRG_V1R5_Manual-xccdf.xml"
},
{
"id": "Crunchy_Data_PostgreSQL_STIG",
- "name": "Crunchy Data PostgreSQL STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CD_PGSQL_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CD_PGSQL_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Crunchy Data PostgreSQL STIG - Ver 2, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CD_PGSQL_V2R2_STIG.zip",
+ "size": "3.25 MB",
+ "version": "V2R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CD_PGSQL_STIG_V2R2_Manual-xccdf.xml"
},
{
"id": "Database_Generic",
- "name": "Database SRG - Ver 4, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Database_V4R1_SRG.zip",
- "size": "\u2014",
- "version": "V4R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Database_SRG_V4R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Database SRG - Ver 3, Rel 4",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Database_V3R4_SRG.zip",
+ "size": "1.11 MB",
+ "version": "V3R4",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Database_SRG_V3R4_Manual-xccdf.xml"
},
{
"id": "DB_Networks_DBN_6300_IDPS_STIG",
@@ -481,11 +481,11 @@
},
{
"id": "DNS_SRG",
- "name": "Domain Name System (DNS) SRG - Ver 4, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Domain_Name_System_V4R1_SRG.zip",
- "size": "\u2014",
- "version": "V4R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Domain_Name_System_V4R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Domain Name System (DNS) SRG - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Domain_Name_System_V3R2_SRG.zip",
+ "size": "1.24 MB",
+ "version": "V3R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Domain_Name_System_V3R2_Manual-xccdf.xml"
},
{
"id": "Docker_Enterprise_2-x_Linux-UNIX_STIG",
@@ -515,7 +515,7 @@
"id": "EDB_Postgres_Advanced_Server_v11_on_Windows_STIG",
"name": "Sunset - EDB Postgres Advanced Server v11 on Windows STIG - Ver 2, Rel 4",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v11_Windows_V2R4_STIG.zip",
- "size": "\u2014",
+ "size": "1.39 MB",
"version": "V2R4",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R4_Manual-xccdf.xml"
},
@@ -535,27 +535,27 @@
},
{
"id": "Firewall_SRG",
- "name": "Firewall SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Firewall_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Firewall_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Firewall SRG - Ver 2, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Firewall_V2R3_SRG.zip",
+ "size": "515.57 KB",
+ "version": "V2R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Firewall_SRG_V2R3_Manual-xccdf.xml"
},
{
"id": "ForeScout_CounterACT_ALG_STIG",
"name": "Sunset - ForeScout CounterACT ALG STIG - Ver 1, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ForeScout_CounterACT_ALG_V1R3_STIG.zip",
- "size": "\u2014",
+ "size": "1.03 MB",
"version": "V1R3",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_ForeScout_CounterACT_ALG_STIG_V1R3_Manual-xccdf.xml"
},
{
- "id": "ForeScout_CounterACT_ALG_STIG",
+ "id": "ForeScout_CounterACT_NDM_STIG",
"name": "Sunset - ForeScout CounterACT NDM STIG - Ver 1, Rel 2",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ForeScout_CounterACT_NDM_V1R2_STIG.zip",
- "size": "\u2014",
+ "size": "1.03 MB",
"version": "V1R2",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_ForeScout_CounterACT_ALG_STIG_V1R2_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_ForeScout_CounterACT_NDM_STIG_V1R2_Manual-xccdf.xml"
},
{
"id": "ForeScout_CounterACT_NDM_STIG",
@@ -579,11 +579,11 @@
},
{
"id": "General_Purpose_Operating_System",
- "name": "General Purpose Operating System SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_GPOS_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_GPOS_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - General Purpose Operating System SRG - Ver 2, Rel 7",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_GPOS_V2R7_SRG.zip",
+ "size": "1.15 MB",
+ "version": "V2R7",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_GPOS_SRG_V2R7_Manual-xccdf.xml"
},
{
"id": "Google_Android_10-x_STIG",
@@ -608,7 +608,7 @@
},
{
"id": "Google_Android_13_COBO_STIG",
- "name": "Google Android 13 STIG - Ver 1, Rel 1",
+ "name": "Rev. 4 Sunset - Google Android 13 STIG - Ver 1, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_13_V1R1_STIG.zip",
"size": "3.89 MB",
"version": "V1R1",
@@ -815,11 +815,11 @@
},
{
"id": "IDPS_SRG",
- "name": "Intrusion Detection and Prevention System Technology SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IDPS_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_IDPS_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Intrusion Detection and Prevention System SRG - Ver 2, Rel 6",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IDPS_V2R6_SRG.zip",
+ "size": "850.55 KB",
+ "version": "V2R6",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_IDPS_SRG_V2R6_Manual-xccdf.xml"
},
{
"id": "ISEC_EMM_Suite_v6-x_STIG",
@@ -839,25 +839,26 @@
},
{
"id": "Ivanti_MI_Core_MDM_Server_STIG",
- "name": "Ivanti MobileIron Core MDM Server STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_MI_Core_MDM_Server_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Ivanti_MI_Core_MDM_Server_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Ivanti MobileIron Core MDM Server STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_MI_Core_MDM_Server_V1R1_STIG.zip",
+ "size": "1.82 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Ivanti_MI_Core_MDM_Server_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "05382d4d-6d31-48c4-b8ad-355f5ccd4715",
- "name": "Ivanti MobileIron Sentry 9.x STIG - Ver 1 Rel 1",
+ "name": "Rev. 4 Sunset - Ivanti MobileIron Sentry 9.x STIG - Ver 1, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_MI_Sentry_9-x_STIG.zip",
- "size": "1.52 MB"
+ "size": "1.52 MB",
+ "version": "V1R1"
},
{
"id": "Jamf_Pro_v10-x_EMM_STIG",
- "name": "Jamf Pro v10.x EMM STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Jamf_Pro_v10-x_EMM_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Jamf_Pro_v10-x_EMM_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Jamf Pro v10.x EMM STIG - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Jamf_Pro_v10-x_EMM_V2R1_STIG.zip",
+ "size": "2.41 MB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Jamf_Pro_v10-x_EMM_STIG_V2R1_Manual-xccdf.xml"
},
{
"id": "fa14db2f-c028-44e8-89c7-dc2a7014d9cf",
@@ -873,7 +874,7 @@
},
{
"id": "343e01d8-ba26-40fb-8163-bfbb0d0b9f31",
- "name": "Juniper SRX Services Gateway STIG",
+ "name": "Rev. 4 Sunset - Juniper SRX Services Gateway STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y22M10_STIG.zip",
"size": "1.05 MB"
},
@@ -886,44 +887,44 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Nutanix_AOS_5-20-x_OS_STIG_V1R1_Manual-xccdf.xml"
},
{
- "id": "Mirantis_Kubernetes_Engine_STIG",
- "name": "Kubernetes STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mirantis_Kubernetes_Engine_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Microsoft_Publisher_2010",
+ "name": "Rev. 4 Sunset - Kubernetes STIG - Ver 1, Rel 11",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R11_STIG.zip",
+ "size": "2.89 MB",
+ "version": "V1R11",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R11_Manual-xccdf.xml"
},
{
"id": "Layer_2_Switch_SRG",
- "name": "Layer 2 Switch SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Layer_2_Switch_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Layer_2_Switch_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Layer 2 Switch SRG - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Layer_2_Switch_V2R1_SRG.zip",
+ "size": "679.55 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Layer_2_Switch_SRG_V2R1_Manual-xccdf.xml"
},
{
"id": "Mainframe_Product_SRG",
- "name": "Mainframe Product SRG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Mainframe_Product_V3R1_SRG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mainframe_Product_SRG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Mainframe Product SRG - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Mainframe_Product_V2R1_SRG.zip",
+ "size": "814.87 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mainframe_Product_SRG_V2R1_Manual-xccdf.xml"
},
{
"id": "MariaDB_Enterprise_10-x_STIG",
- "name": "MariaDB Enterprise 10.x STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MariaDB_Enterprise_10-x_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - MariaDB Enterprise 10.x STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V1R3_STIG.zip",
+ "size": "1.95 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MariaDB_Enterprise_10-x_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "MarkLogic_Server_v9_STIG",
- "name": "MarkLogic Server v9 STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MarkLogic_Server_v9_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - MarkLogic Server v9 STIG - Ver 2, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MarkLogic_Server_v9_V2R2_STIG.zip",
+ "size": "1.34 MB",
+ "version": "V2R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V2R2_Manual-xccdf.xml"
},
{
"id": "McAfee_Application_Control_7-x_STIG",
@@ -969,7 +970,7 @@
"id": "Microsoft_Excel_2010",
"name": "Sunset - Microsoft Access 2010 STIG - Ver 1, Rel 11",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Access_2010_V1R11_STIG.zip",
- "size": "\u2014",
+ "size": "1.04 MB",
"version": "V1R11",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Excel_2010_STIG_V1R11_Manual-xccdf.xml"
},
@@ -977,7 +978,7 @@
"id": "Microsoft_Access_2013",
"name": "Sunset - Microsoft Access 2013 STIG - Ver 1, Rel 7",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Access_2013_V1R7_STIG.zip",
- "size": "\u2014",
+ "size": "1.04 MB",
"version": "V1R7",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Access_2013_STIG_V1R7_Manual-xccdf.xml"
},
@@ -997,11 +998,11 @@
},
{
"id": "MS_Azure_SQL_DB_STIG",
- "name": "Microsoft Azure SQL Database STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Azure_SQL_DB_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Azure_SQL_DB_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Microsoft Azure SQL Database STIG - Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Azure_SQL_DB_V1R2_STIG.zip",
+ "size": "1.32 MB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Azure_SQL_DB_STIG_V1R2_Manual-xccdf.xml"
},
{
"id": "MS_Defender_Antivirus",
@@ -1020,12 +1021,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_10_STIG_V2R5_Manual-xccdf.xml"
},
{
- "id": "Microsoft_Excel_2016",
- "name": "Microsoft Edge STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Edge_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Excel_2016_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Microsoft_Excel_2013",
+ "name": "Rev. 4 Sunset - Microsoft Edge STIG - Ver 1, Rel 8",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Edge_V1R8_STIG.zip",
+ "size": "1.87 MB",
+ "version": "V1R8",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Excel_2013_STIG_V1R8_Manual-xccdf.xml"
},
{
"id": "MS_Exchange_2013_CAS_STIG",
@@ -1047,7 +1048,7 @@
"id": "Microsoft_Excel_2013",
"name": "Sunset - Microsoft Excel 2013 STIG - Ver 1, Rel 8",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Excel_2013_V1R8_STIG.zip",
- "size": "\u2014",
+ "size": "884.61 KB",
"version": "V1R8",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Excel_2013_STIG_V1R8_Manual-xccdf.xml"
},
@@ -1135,7 +1136,7 @@
"id": "Microsoft_InfoPath_2010",
"name": "Sunset - Microsoft InfoPath 2010 STIG - Ver 1, Rel 12",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_InfoPath_2010_V1R12_STIG.zip",
- "size": "\u2014",
+ "size": "1.04 MB",
"version": "V1R12",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_InfoPath_2010_STIG_V1R12_Manual-xccdf.xml"
},
@@ -1143,7 +1144,7 @@
"id": "Microsoft_Word_2013",
"name": "Sunset - Microsoft InfoPath 2013 STIG - Ver 1, Rel 6",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_InfoPath_2013_V1R6_STIG.zip",
- "size": "\u2014",
+ "size": "1.04 MB",
"version": "V1R6",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Word_2013_STIG_V1R6_Manual-xccdf.xml"
},
@@ -1167,7 +1168,7 @@
"id": "Microsoft_Lync_2013",
"name": "Sunset - Microsoft Lync 2013 STIG - Ver 1, Rel 5",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Lync_2013_V1R5_STIG.zip",
- "size": "\u2014",
+ "size": "1014.18 KB",
"version": "V1R5",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Lync_2013_STIG_V1R5_Manual-xccdf.xml"
},
@@ -1180,36 +1181,36 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_OfficeSystem_2010_STIG_V1R12_Manual-xccdf.xml"
},
{
- "id": "Microsoft_InfoPath_2013",
+ "id": "Microsoft_Project_2013",
"name": "Microsoft Office 2013 Overview - Ver 1, Rel 5",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MicrosoftOffice2013_V1R5_Overview.zip",
"size": "531.32 KB",
"version": "V1R5",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_InfoPath_2013_STIG_V1R5_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Project_2013_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "MS_Office_365_ProPlus_STIG",
- "name": "Microsoft Office 365 ProPlus STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Office_365_ProPlus_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Office_365_ProPlus_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Microsoft Office 365 ProPlus STIG - Ver 2, Rel 12",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Office_365_ProPlus_V2R12_STIG.zip",
+ "size": "1.23 MB",
+ "version": "V2R12",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Office_365_ProPlus_STIG_V2R12_Manual-xccdf.xml"
},
{
"id": "Microsoft_Office_System_2010",
"name": "Sunset - Microsoft Office System 2010 STIG - Ver 1, Rel 13",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_OfficeSystem_2010_V1R13_STIG.zip",
- "size": "\u2014",
+ "size": "1.01 MB",
"version": "V1R13",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_OfficeSystem_2010_STIG_V1R13_Manual-xccdf.xml"
},
{
"id": "Microsoft_Office_System_2013",
- "name": "Microsoft Office System 2013 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_OfficeSystem_2013_V2R1_STIG.zip",
- "size": "885.34 KB",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_OfficeSystem_2013_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Office System 2013 STIG - Ver 2, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_OfficeSystem_2013_V2R2_STIG.zip",
+ "size": "1.11 MB",
+ "version": "V2R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_OfficeSystem_2013_STIG_V2R2_Manual-xccdf.xml"
},
{
"id": "Microsoft_Office_System_2016",
@@ -1285,19 +1286,19 @@
},
{
"id": "Microsoft_PowerPoint_2010",
- "name": "Microsoft PowerPoint 2010 STIG - Ver 1, Rel 10",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_PowerPoint_2010_V1R10_STIG.zip",
- "size": "414.21 KB",
- "version": "V1R10",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_PowerPoint_2010_STIG_V1R10_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft PowerPoint 2010 STIG - Ver 1, Rel 11",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_PowerPoint_2010_V1R11_STIG.zip",
+ "size": "1.05 MB",
+ "version": "V1R11",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_PowerPoint_2010_STIG_V1R11_Manual-xccdf.xml"
},
{
"id": "Microsoft_PowerPoint_2013",
- "name": "Microsoft PowerPoint 2013 STIG - Ver 1, Rel 6",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_PowerPoint_2013_V1R6_STIG.zip",
- "size": "440.97 KB",
- "version": "V1R6",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_PowerPoint_2013_V1R6_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft PowerPoint 2013 STIG - Ver 1, Rel 7",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_PowerPoint_2013_V1R7_STIG.zip",
+ "size": "1.05 MB",
+ "version": "V1R7",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_PowerPoint_2013_STIG_V1R7_Manual-xccdf.xml"
},
{
"id": "Microsoft_PowerPoint_2016",
@@ -1309,19 +1310,19 @@
},
{
"id": "Microsoft_Project_2010",
- "name": "Microsoft Project 2010 STIG - Ver 1, Rel 9",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Project_2010_V1R9_STIG.zip",
- "size": "435.29 KB",
- "version": "V1R9",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Project_2010_STIG_V1R9_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Project 2010 STIG - Ver 1, Rel 10",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Project_2010_V1R10_STIG.zip",
+ "size": "1.04 MB",
+ "version": "V1R10",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Project_2010_STIG_V1R10_Manual-xccdf.xml"
},
{
"id": "Microsoft_Project_2013",
- "name": "Microsoft Project 2013 STIG - Ver 1, Rel 4",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Project_2013_V1R4_STIG.zip",
- "size": "428.58 KB",
- "version": "V1R4",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Project_2013_STIG_V1R4_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Project 2013 STIG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Project_2013_V1R5_STIG.zip",
+ "size": "1.03 MB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Project_2013_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "Microsoft_Project_2016",
@@ -1333,19 +1334,19 @@
},
{
"id": "Microsoft_Publisher_2010",
- "name": "Microsoft Publisher 2010 STIG - Ver 1, Rel 11",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Publisher_2010_V1R11_STIG.zip",
- "size": "409.49 KB",
- "version": "V1R11",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R11_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Publisher 2010 STIG - Ver 1, Rel 12",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Publisher_2010_V1R12_STIG.zip",
+ "size": "1.04 MB",
+ "version": "V1R12",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Publisher_2010_STIG_V1R12_Manual-xccdf.xml"
},
{
"id": "Microsoft_Publisher_2013",
- "name": "Microsoft Publisher 2013 STIG - Ver 1, Rel 5",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Publisher_2013_V1R5_STIG.zip",
- "size": "429.2 KB",
- "version": "V1R5",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Publisher_2013_STIG_V1R5_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Publisher 2013 STIG - Ver 1, Rel 6",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Publisher_2013_V1R6_STIG.zip",
+ "size": "1.03 MB",
+ "version": "V1R6",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Publisher_2013_STIG_V1R6_Manual-xccdf.xml"
},
{
"id": "Microsoft_Publisher_2016",
@@ -1389,11 +1390,11 @@
},
{
"id": "Microsoft_Visio_2013",
- "name": "Microsoft Visio 2013 STIG - Ver 1, Rel 4",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Visio_2013_V1R4_STIG.zip",
- "size": "427.91 KB",
- "version": "V1R4",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Visio_2013_STIG_V1R4_Manual-xccdf.xml"
+ "name": "Sunset - Microsoft Visio 2013 STIG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Visio_2013_V1R5_STIG.zip",
+ "size": "917.9 KB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Visio_2013_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "Microsoft_Visio_2016",
@@ -1407,7 +1408,7 @@
"id": "Windows_Server_2019_STIG",
"name": "Microsoft Windows 10 STIG - Ver 3, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V3R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.28 MB",
"version": "V3R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V3R1_Manual-xccdf.xml"
},
@@ -1420,12 +1421,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_10_STIG_V2R9_Manual-xccdf.xml"
},
{
- "id": "Windows_PAW_STIG",
- "name": "Microsoft Windows 11 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_11_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_PAW_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Microsoft_Windows_11_STIG",
+ "name": "Rev. 4 Sunset - Microsoft Windows 11 STIG - Ver 1, Rel 6",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_11_V1R6_STIG.zip",
+ "size": "1.32 MB",
+ "version": "V1R6",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_11_STIG_V1R6_Manual-xccdf.xml"
},
{
"id": "Microsoft_Windows_11_STIG",
@@ -1447,7 +1448,7 @@
"id": "Microsoft_Windows_2012_Server_Domain_Name_System_STIG",
"name": "Sunset - Microsoft Windows 2012 Server Domain Name System STIG - Ver 2, Rel 7",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip",
- "size": "\u2014",
+ "size": "1.16 MB",
"version": "V2R7",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_2012_Server_DNS_STIG_V2R7_Manual-xccdf.xml"
},
@@ -1477,7 +1478,7 @@
},
{
"id": "Windows_PAW_STIG",
- "name": "Microsoft Windows Privileged Access Workstation (PAW) STIG - Ver 2, Rel 3",
+ "name": "Rev. 4 Sunset - Microsoft Windows PAW STIG - Ver 2, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R3_STIG.zip",
"size": "1.09 MB",
"version": "V2R3",
@@ -1509,11 +1510,11 @@
},
{
"id": "Windows_Server_2019_STIG",
- "name": "Microsoft Windows Server 2019 STIG Benchmark - Ver 2, Rel 5",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R5_STIG_SCAP_1-2_Benchmark.zip",
- "size": "99.99 KB",
- "version": "V2R5",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V2R5_Manual-xccdf.xml"
+ "name": "Microsoft Windows Server 2019 STIG Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "99.96 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V3R1_Manual-xccdf.xml"
},
{
"id": "Windows_Server_2019_STIG",
@@ -1533,11 +1534,11 @@
},
{
"id": "Windows_Server_2019_STIG",
- "name": "Microsoft Windows Server 2019 STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Microsoft Windows Server 2019 STIG - Ver 2, Rel 9",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R9_STIG.zip",
+ "size": "1.12 MB",
+ "version": "V2R9",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V2R9_Manual-xccdf.xml"
},
{
"id": "Microsoft_Windows_11_STIG",
@@ -1548,12 +1549,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_11_STIG_V1R2_Manual-xccdf.xml"
},
{
- "id": "Apache_Server_2-4_Windows_Server_STIG",
- "name": "Microsoft Windows Server 2022 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apache_Server_2-4_Windows_Server_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Microsoft_Windows_11_STIG",
+ "name": "Rev. 4 Sunset - Microsoft Windows Server 2022 STIG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R5_STIG.zip",
+ "size": "1.97 MB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_11_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "MS_Windows_Server_2022_DNS_STIG",
@@ -1567,7 +1568,7 @@
"id": "Microsoft_Word_2010",
"name": "Sunset - Microsoft Word 2010 STIG - Ver 1, Rel 12",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Word_2010_V1R12_STIG.zip",
- "size": "\u2014",
+ "size": "1.09 MB",
"version": "V1R12",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Word_2010_STIG_V1R12_Manual-xccdf.xml"
},
@@ -1575,7 +1576,7 @@
"id": "Microsoft_Word_2013",
"name": "Sunset - Microsoft Word 2013 STIG - Ver 1, Rel 7",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Word_2013_V1R7_STIG.zip",
- "size": "\u2014",
+ "size": "1.09 MB",
"version": "V1R7",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Word_2013_STIG_V1R7_Manual-xccdf.xml"
},
@@ -1599,7 +1600,7 @@
"id": "MongoDB_3-x_STIG",
"name": "Sunset - MongoDB 3.x STIG - Ver 2, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_3-x_V2R3_STIG.zip",
- "size": "\u2014",
+ "size": "1.01 MB",
"version": "V2R3",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MDB_Enterprise_Advanced_3-x_STIG_V2R3_Manual-xccdf.xml"
},
@@ -1607,7 +1608,7 @@
"id": "MongoDB_Enterprise_Advanced_4-x_STIG",
"name": "Sunset - MongoDB 4.x STIG - Ver 1, Rel 4",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_4-x_V1R4_STIG.zip",
- "size": "\u2014",
+ "size": "1.96 MB",
"version": "V1R4",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MDB_Enterprise_Advanced_4-x_STIG_V1R4_Manual-xccdf.xml"
},
@@ -1621,7 +1622,7 @@
"id": "MOT_Solutions_Android_11_COBO_STIG",
"name": "Sunset - Motorola Solutions Android 11 STIG - Ver 1, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MOT_Solutions_Android_11_V1R3_STIG.zip",
- "size": "\u2014",
+ "size": "2.02 MB",
"version": "V1R3",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MOT_Solutions_Android_11_COBO_V1R3_Manual-xccdf.xml"
},
@@ -1671,19 +1672,19 @@
},
{
"id": "NetApp_ONTAP_DSC_9-x_STIG",
- "name": "NetApp ONTAP DSC 9.x STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_NetApp_ONTAP_DSC_9-x_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_NetApp_ONTAP_DSC_9-x_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - NetApp ONTAP DSC 9.x STIG - Ver 1, Rel 4",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_NetApp_ONTAP_DSC_9-x_V1R4_STIG.zip",
+ "size": "1.05 MB",
+ "version": "V1R4",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_NetApp_ONTAP_DSC_9-x_STIG_V1R4_Manual-xccdf.xml"
},
{
"id": "Network_Device_Management_SRG",
- "name": "Network Device Management SRG - Ver 5, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_NDM_V5R1_SRG.zip",
- "size": "\u2014",
- "version": "V5R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_NDM_SRG_V5R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Network Device Management SRG - Ver 4, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_NDM_V4R3_SRG.zip",
+ "size": "1.06 MB",
+ "version": "V4R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_NDM_SRG_V4R3_Manual-xccdf.xml"
},
{
"id": "Network_Infrastructure_Policy_STIG",
@@ -1703,17 +1704,17 @@
"id": "Oracle_Database_11-2g_STIG",
"name": "Sunset - Oracle Database 11.2g STIG - Ver 2, Rel 5",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11-2g_V2R5_STIG.zip",
- "size": "\u2014",
+ "size": "1.74 MB",
"version": "V2R5",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Database_11-2g_STIG_V2R5_Manual-xccdf.xml"
},
{
"id": "Oracle_Database_12c_STIG",
- "name": "Oracle Database 12c STIG - Ver 3, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R1_STIG.zip",
- "size": "\u2014",
- "version": "V3R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Database_12c_STIG_V3R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Oracle Database 12c STIG - Ver 2, Rel 9",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R9_STIG.zip",
+ "size": "1.59 MB",
+ "version": "V2R9",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Database_12c_STIG_V2R9_Manual-xccdf.xml"
},
{
"id": "Oracle_HTTP_Server_12-1-3_STIG",
@@ -1740,12 +1741,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Linux_7_STIG_V2R14_Manual-xccdf.xml"
},
{
- "id": "Oracle_Linux_5_STIG",
- "name": "Oracle Linux 8 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Linux_5_STIG_V2R1_Manual-xccdf.xml"
+ "id": "Oracle_Linux_8_STIG",
+ "name": "Rev. 4 Sunset - Oracle Linux 8 STIG - Ver 1, Rel 10",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V1R10_STIG.zip",
+ "size": "2.07 MB",
+ "version": "V1R10",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Linux_8_STIG_V1R10_Manual-xccdf.xml"
},
{
"id": "Oracle_Linux_8_STIG",
@@ -1765,11 +1766,11 @@
},
{
"id": "Oracle_MySQL_8.0_STIG",
- "name": "Oracle MySQL 8.0 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Oracle MySQL 8.0 STIG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V1R5_STIG.zip",
+ "size": "2.07 MB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "Oracle_WebLogic_Server_12c_STIG",
@@ -1781,11 +1782,11 @@
},
{
"id": "PAN_Prisma_Cloud_Compute_STIG",
- "name": "Palo Alto Networks Prisma Cloud Compute STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Prisma_Cloud_Compute_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_PAN_Prisma_Cloud_Compute_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Palo Alto Networks Prisma Cloud Compute STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Prisma_Cloud_Compute_V1R3_STIG.zip",
+ "size": "2.04 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_PAN_Prisma_Cloud_Compute_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "1662f0e7-192d-4637-bfb8-0bd8c452934e",
@@ -1805,25 +1806,25 @@
"id": "PostgreSQL_9-x_STIG",
"name": "Sunset - PostgreSQL 9.x STIG - Ver 2, Rel 5",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_SQL_9-x_V2R5_STIG.zip",
- "size": "\u2014",
+ "size": "1.66 MB",
"version": "V2R5",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_PGS_SQL_9-x_STIG_V2R5_Manual-xccdf.xml"
},
{
"id": "RGS_RKE2_STIG",
- "name": "Rancher Government Solutions RKE2 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_RKE2_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RGS_RKE2_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Rancher Government Solutions RKE2 STIG - Ver 1, Rel 5",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_RKE2_V1R5_STIG.zip",
+ "size": "1.28 MB",
+ "version": "V1R5",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RGS_RKE2_STIG_V1R5_Manual-xccdf.xml"
},
{
"id": "Rancher_MCM_STIG",
- "name": "Rancher Government Solutions Multi-Cluster Manager STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_MCM_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RGS_MCM_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Rancher Government Solutions Multi-Cluster Manager STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_MCM_V1R3_STIG.zip",
+ "size": "1.56 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RGS_MCM_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "RHEL_7_STIG",
@@ -1883,11 +1884,11 @@
},
{
"id": "Redis_Enterprise_6-x_STIG",
- "name": "Redis Enterprise 6.x STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Redis_Enterprise_6-x_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Redis_Enterprise_6-x_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Redis Enterprise 6.x STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Redis_Enterprise_6-x_V1R3_STIG.zip",
+ "size": "2.01 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Redis_Enterprise_6-x_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "0a7a6ec9-64f5-4aa6-9b47-2ca7076628f8",
@@ -1899,7 +1900,7 @@
"id": "Router_SRG",
"name": "Router SRG - Ver 5, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Router_V5R1_SRG.zip",
- "size": "\u2014",
+ "size": "1.12 MB",
"version": "V5R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Router_SRG_V5R1_Manual-xccdf.xml"
},
@@ -2063,7 +2064,7 @@
"id": "SDN_Controller_SRG",
"name": "SDN Controller SRG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SDN_Controller_V2R1_SRG.zip",
- "size": "\u2014",
+ "size": "1.18 MB",
"version": "V2R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SDN_Controller_SRG_V2R1_Manual-xccdf.xml"
},
@@ -2127,7 +2128,7 @@
"id": "Solaris_11_X86_STIG",
"name": "Solaris 11 SPARC STIG - Ver 3, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_SPARC_V3R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.24 MB",
"version": "V3R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SOL_11_x86_STIG_V3R1_Manual-xccdf.xml"
},
@@ -2143,7 +2144,7 @@
"id": "Solaris_11_X86_STIG",
"name": "Solaris 11 x86 STIG - Ver 3, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_x86_V3R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.26 MB",
"version": "V3R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SOL_11_x86_STIG_V3R1_Manual-xccdf.xml"
},
@@ -2167,7 +2168,7 @@
"id": "Splunk_Enterprise_7-x_for_Windows_STIG",
"name": "Splunk Enterprise 7.x for Windows STIG - Ver 3, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip",
- "size": "\u2014",
+ "size": "3.63 MB",
"version": "V3R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Splunk_Enterprise_7-x_for_Windows_V3R1_Manual-xccdf.xml"
},
@@ -2175,7 +2176,7 @@
"id": "Docker_Enterprise_2-x_Linux-UNIX_STIG",
"name": "Splunk Enterprise 8.x for Linux STIG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for-Linux_V2R1_STIG.zip",
- "size": "\u2014",
+ "size": "3.42 MB",
"version": "V2R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Docker_Enterprise_2-x_Linux-UNIX_STIG_V2R1_Manual-xccdf.xml"
},
@@ -3096,12 +3097,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Linux_7_STIG_V2R11_Manual-xccdf.xml"
},
{
- "id": "IE_11_STIG",
+ "id": "SLES_15_STIG",
"name": "SUSE Linux Enterprise Server 15 STIG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_15_V2R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.3 MB",
"version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_IE11_STIG_V2R1_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml"
},
{
"id": "SLES_15_STIG",
@@ -3135,7 +3136,7 @@
},
{
"id": "Tanium_7-x_OS_TanOS_STIG",
- "name": "Tanium 7.x on TanOS STIG - Ver 1, Rel 1",
+ "name": "Rev. 4 Sunset - Tanium 7.x TanOS STIG - Ver 1, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Tanium_7-x_TanOS_V1R1_STIG.zip",
"size": "1.72 MB",
"version": "V1R1",
@@ -3145,7 +3146,7 @@
"id": "Tanium_7-x_STIG",
"name": "Tanium 7.x STIG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Tanium_7-x_V2R1_STIG.zip",
- "size": "\u2014",
+ "size": "2.06 MB",
"version": "V2R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Tanium_7-x_STIG_V2R1_Manual-xccdf.xml"
},
@@ -3167,7 +3168,7 @@
},
{
"id": "f075e9ca-36c6-4a1c-8d70-ec03b1a2d02c",
- "name": "Trend Micro TippingPoint STIG",
+ "name": "Rev. 4 Sunset - Trend Micro TippingPoint STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_TM_TippingPoint_Y22M07_STIG.zip",
"size": "1.69 MB"
},
@@ -3179,11 +3180,11 @@
},
{
"id": "VPN",
- "name": "Virtual Private Network SRG - Ver 2, Rel 6",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VPN_V2R6_SRG.zip",
- "size": "1.04 MB",
- "version": "V2R6",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml"
+ "name": "Virtual Private Network (VPN) SRG - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VPN_V3R1_SRG.zip",
+ "size": "1005.82 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_VPN_SRG_V3R1_Manual-xccdf.xml"
},
{
"id": "VMware_Horizon_7-13_Agent_STIG",
@@ -3275,7 +3276,7 @@
"id": "Web_Server_SRG",
"name": "Web Server SRG - Ver 4, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Web_Server_V4R1_SRG.zip",
- "size": "\u2014",
+ "size": "1.17 MB",
"version": "V4R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Web_Server_V4R1_Manual-xccdf.xml"
},
@@ -3304,20 +3305,20 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Solaris_9_SPARC_V1R12_STIG_SCAP_1-1_Benchmark-xccdf.xml"
},
{
- "id": "MS_Windows_Server_2022_STIG",
- "name": "Microsoft Windows Server 2022 STIG Benchmark - Ver 1, Rel 3",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG_SCAP_1-2_Benchmark.zip",
- "size": "93.73 KB",
- "version": "V1R3",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2022_STIG_V1R3_Manual-xccdf.xml"
+ "id": "Apache_Server_2-4_Windows_Server_STIG",
+ "name": "Microsoft Windows Server 2022 STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "92.95 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apache_Server_2-4_Windows_Server_STIG_V2R1_Manual-xccdf.xml"
},
{
- "id": "Apple_macOS_14_STIG",
+ "id": "SLES_15_STIG",
"name": "Tri-Lab Operating System Stack (TOSS) 4 STIG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_TOSS_4_V2R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.35 MB",
"version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_14_STIG_V2R1_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml"
},
{
"id": "5f0169e2-df53-4cd3-a2ac-0458d25f3e78",
@@ -3327,7 +3328,7 @@
},
{
"id": "75c4d51a-3559-4a53-821b-4d8249194d09",
- "name": "Apache Server 2.4 Windows STIG",
+ "name": "Rev. 4 Sunset - Apache Server 2.4 Windows STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y23M01_STIG.zip",
"size": "1.59 MB"
},
@@ -3369,7 +3370,7 @@
},
{
"id": "cbc0af64-f1f7-47aa-a7a4-3bc7e8cba307",
- "name": "Samsung Android 13 with Knox 3.x STIG",
+ "name": "Rev. 4 Sunset - Samsung Android OS 13 with Knox 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_OS_13_KPE_3-x_Y23M01_STIG.zip",
"size": "1.59 MB"
},
@@ -3380,12 +3381,12 @@
"size": "2.58 MB"
},
{
- "id": "VVOIP_Technical",
+ "id": "RHEL_7_STIG",
"name": "Sunset - Red Hat Enterprise Linux 7 STIG - Ver 3, Rel 15",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R15_STIG.zip",
- "size": "\u2014",
+ "size": "1.12 MB",
"version": "V3R15",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_VVoIP_STIG_V3R15_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_7_STIG_V3R15_Manual-xccdf.xml"
},
{
"id": "RHEL_7_STIG",
@@ -3533,7 +3534,7 @@
},
{
"id": "7cafb215-1fe2-48ac-ad12-46ff626ba5f9",
- "name": "Arista MLS EOS 4.2x STIG",
+ "name": "Rev. 4 Sunset - Arista MLS EOS 4.2x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y23M02_STIG.zip",
"size": "2.54 MB"
},
@@ -3541,13 +3542,13 @@
"id": "RB_NetProfiler_STIG",
"name": "Riverbed NetProfiler STIG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RB_NetProfiler_V2R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.92 MB",
"version": "V2R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RB_NetProfiler_STIG_V2R1_Manual-xccdf.xml"
},
{
"id": "Nutanix_AOS_5-20-x_OS_STIG",
- "name": "Nutanix AOS 5.20.x STIG - Ver 1, Rel 1",
+ "name": "Rev. 4 Sunset - Nutanix AOS 5.20.x STIG - Ver 1, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Nutanix_AOS_5-20-x_V1R1_STIG.zip",
"size": "1.57 MB",
"version": "V1R1",
@@ -3729,7 +3730,7 @@
},
{
"id": "7dc17f5e-ebaf-47dc-acf6-ea2fdd583b96",
- "name": "IBM Hardware Management Console (HMC) STIG",
+ "name": "Rev. 4 Sunset - IBM Hardware Management Console (HMC) STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_HMC_Y23M04_STIG.zip",
"size": "1.63 MB"
},
@@ -3765,7 +3766,7 @@
},
{
"id": "6a235e4a-ff2f-4259-a5f6-97684b44d76a",
- "name": "Unified Endpoint Manager (UEM) SRG",
+ "name": "Rev. 4 Sunset - Unified Endpoint Management Server SRG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_UEM_Y23M04_SRG.zip",
"size": "1 MB"
},
@@ -3861,7 +3862,7 @@
},
{
"id": "4e23723c-e188-4a65-a0a7-ae5d998c24df",
- "name": "Juniper Router STIG",
+ "name": "Rev. 4 Sunset - Juniper Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y23M06_STIG.zip",
"size": "1.32 MB"
},
@@ -4025,7 +4026,7 @@
},
{
"id": "6baa31d7-8039-46df-b822-2cea62039431",
- "name": "Forescout STIG",
+ "name": "Rev. 4 Sunset - Forescout STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FS_Y23M07_STIG.zip",
"size": "1.5 MB"
},
@@ -4142,11 +4143,11 @@
},
{
"id": "RH_OpenShift_Container_Platform_4-12_STIG",
- "name": "Red Hat OpenShift Container Platform 4.12 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RH_OpenShift_Container_Platform_4-12_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Red Hat OpenShift Container Platform 4.12 STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V1R1_STIG.zip",
+ "size": "2.08 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RH_OpenShift_Container_Platform_4-12_V1R1_Manual-xccdf.xml"
},
{
"id": "04d1e461-8b60-4b02-abb3-44d98e90ebff",
@@ -4272,21 +4273,21 @@
},
{
"id": "a08a670b-c92e-4c79-ad3c-4c54e516c519",
- "name": "Google Android 14 STIG",
+ "name": "Rev. 4 Sunset - Google Android 14 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_14_Y23M10_STIG.zip",
"size": "2.98 MB"
},
{
"id": "Apple_iOS-iPadOS_17_STIG",
- "name": "Apple iOS/iPadOS 17 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_17_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS-iPadOS_17_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Apple iOS/iPadOS 17 STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_17_V1R1_STIG.zip",
+ "size": "2.73 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS-iPadOS_17_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "79e37763-01cd-46e3-8a8a-35809aa7aebc",
- "name": "Cisco ASA STIG",
+ "name": "Rev. 4 Sunset - Cisco ASA STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y23M10_STIG.zip",
"size": "1.35 MB"
},
@@ -4334,7 +4335,7 @@
},
{
"id": "0d99a4c9-387b-443a-a979-1347ebfac1e2",
- "name": "Microsoft IIS 10.0 STIG",
+ "name": "Rev. 4 Sunset - Microsoft IIS 10.0 Server STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y23M10_STIG.zip",
"size": "1.53 MB"
},
@@ -4378,7 +4379,7 @@
"id": "VMM",
"name": "Virtual Machine Manager SRG - Ver 2, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Virtual_Machine_Manager_V2R1_SRG.zip",
- "size": "\u2014",
+ "size": "1.15 MB",
"version": "V2R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Virtual_Machine_Manager_V2R1_Manual-xccdf.xml"
},
@@ -4426,7 +4427,7 @@
},
{
"id": "407936fb-cce4-4a5d-8427-051dc9255039",
- "name": "Ivanti Connect Secure STIG",
+ "name": "Rev. 4 Sunset - Ivanti Connect Secure STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_Connect_Secure_Y23M11_STIG.zip",
"size": "1.16 MB"
},
@@ -4452,25 +4453,25 @@
},
{
"id": "EPAS_STIG",
- "name": "EnterpriseDB Postgres Advanced Server (EPAS) STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EPAS_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_EPAS_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - EnterpriseDB Postgres Advanced Server (EPAS) STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EPAS_V1R1_STIG.zip",
+ "size": "1.55 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_EPAS_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "5474d6d7-7ef2-49ae-be55-db9414b6649f",
- "name": "Microsoft Exchange 2019 STIG",
+ "name": "Rev. 4 Sunset - Microsoft Exchange 2019 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M01_STIG.zip",
"size": "2.08 MB"
},
{
"id": "Apple_macOS_14_STIG",
- "name": "Apple macOS 14 (Sonoma) STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_14_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V1R2_STIG.zip",
+ "size": "2.37 MB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_14_STIG_V1R2_Manual-xccdf.xml"
},
{
"id": "3580fdd1-65df-4445-8415-3b2643369a6d",
@@ -4480,7 +4481,7 @@
},
{
"id": "8b56701f-694a-449e-9cd0-898ccdce0e51",
- "name": "Cisco IOS Router STIG",
+ "name": "Rev. 4 Sunset - Cisco IOS Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y24M01_STIG.zip",
"size": "2.07 MB"
},
@@ -4492,7 +4493,7 @@
},
{
"id": "a750df9a-d411-4f40-b6af-fad7e17420a2",
- "name": "Cisco IOS XE Router STIG",
+ "name": "Rev. 4 Sunset - Cisco IOS XE Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_Y24M01_STIG.zip",
"size": "2.08 MB"
},
@@ -4504,13 +4505,13 @@
},
{
"id": "32cd1eb2-7d7c-4192-a890-f8e907a3d8b1",
- "name": "Cisco IOS XR Router STIG",
+ "name": "Rev. 4 Sunset - Cisco IOS XR Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M01_STIG.zip",
"size": "2.02 MB"
},
{
"id": "085b6df3-22b9-4786-816e-0054585981d8",
- "name": "Cisco ISE STIG",
+ "name": "Rev. 4 Sunset - Cisco ISE STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ISE_Y24M01_STIG.zip",
"size": "2.68 MB"
},
@@ -4528,13 +4529,13 @@
},
{
"id": "4fb29b49-d53f-4a35-806a-034b835c22aa",
- "name": "HPE 3PAR StoreServ OS STIG",
+ "name": "Rev. 4 Sunset - HPE 3PAR StoreServ OS STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_3PAR_StoreServ_OS_Y24M01_STIG.zip",
"size": "1.46 MB"
},
{
"id": "HPE_Nimble_Storage_Array_NDM_STIG",
- "name": "HPE Nimble Storage Array STIG - Ver 1, Rel 2",
+ "name": "Rev. 4 Sunset - HPE Nimble Storage Array STIG - Ver 1, Rel 2",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_Nimble_Storage_Array_V1R2_STIG.zip",
"size": "1.92 MB",
"version": "V1R2",
@@ -4548,7 +4549,7 @@
},
{
"id": "528d74c0-a1a8-4bf6-aa0f-a89ac25ef1db",
- "name": "Juniper EX Series Switches STIG",
+ "name": "Rev. 4 Sunset - Juniper EX Series Switches STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M01_STIG.zip",
"size": "1.5 MB"
},
@@ -4566,17 +4567,17 @@
},
{
"id": "8f0aa6b5-b737-4865-8dca-0758dfdf7e6b",
- "name": "Palo Alto Networks STIG",
+ "name": "Rev. 4 Sunset - Palo Alto Networks STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M01_STIG.zip",
"size": "1.31 MB"
},
{
- "id": "PostgreSQL_9-x_STIG",
- "name": "Red Hat Enterprise Linux 9 STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_PGS_SQL_9-x_STIG_V2R1_Manual-xccdf.xml"
+ "id": "RHEL_9_STIG",
+ "name": "Rev. 4 Sunset - Red Hat Enterprise Linux 9 STIG - Ver 1, Rel 3",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R3_STIG.zip",
+ "size": "1.96 MB",
+ "version": "V1R3",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_9_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "EDB_Postgres_Advanced_Server_STIG",
@@ -4596,7 +4597,7 @@
"id": "McAfee_Application_Control_8-x_STIG",
"name": "Trellix Application Control 8.x STIG - Ver 3, Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Trellix_Application_Control_8-x_V3R1_STIG.zip",
- "size": "\u2014",
+ "size": "1.17 MB",
"version": "V3R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Trellix_Application_Control_8-x_STIG_V3R1_Manual-xccdf.xml"
},
@@ -4607,12 +4608,12 @@
"size": "3.55 MB"
},
{
- "id": "Apache_Server_2-4_Windows_Server_STIG",
- "name": "Microsoft Windows Server Domain Name System STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_DNS_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apache_Server_2-4_Windows_Server_STIG_V2R1_Manual-xccdf.xml"
+ "id": "MS_Windows_Server_2022_DNS_STIG",
+ "name": "Rev. 4 Sunset - Microsoft Windows Server Domain Name System STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_DNS_V1R1_STIG.zip",
+ "size": "2 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "b758ee5f-9613-4b0b-b3fb-35663af7b7bd",
@@ -4680,11 +4681,11 @@
},
{
"id": "CAN_Ubuntu_22-04_LTS_STIG",
- "name": "Canonical Ubuntu 22.04 LTS STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_22-04_LTS_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CAN_Ubuntu_22-04_LTS_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Canonical Ubuntu 22.04 LTS STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_22-04_LTS_V1R1_STIG.zip",
+ "size": "1.97 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_CAN_Ubuntu_22-04_LTS_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "3b9b27d7-ec73-4774-8f74-4f45072326b1",
@@ -4754,33 +4755,33 @@
},
{
"id": "Mirantis_Kubernetes_Engine_STIG",
- "name": "Mirantis Kubernetes Engine STIG - Ver 2, Rel 1",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Mirantis_Kubernetes_Engine_V2R1_STIG.zip",
- "size": "\u2014",
- "version": "V2R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mirantis_Kubernetes_Engine_STIG_V2R1_Manual-xccdf.xml"
+ "name": "Rev. 4 Sunset - Mirantis Kubernetes Engine STIG - Ver 1, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Mirantis_Kubernetes_Engine_V1R1_STIG.zip",
+ "size": "1.99 MB",
+ "version": "V1R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mirantis_Kubernetes_Engine_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "64078167-e113-4e67-b487-462360ad54b6",
- "name": "Apache Server 2.4 Unix STIG",
+ "name": "Rev. 4 Sunset - Apache Server 2.4 Unix STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Unix_Y24M04_STIG.zip",
"size": "2.05 MB"
},
{
"id": "8bc04976-be6f-4e0d-ad4f-5bf277eb86c6",
- "name": "Cisco IOS Switch STIG",
+ "name": "Rev. 4 Sunset - Cisco IOS Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y24M04_STIG.zip",
"size": "2.14 MB"
},
{
"id": "103031ec-78cb-4041-be65-1bf802216c3a",
- "name": "Cisco IOS XE Switch STIG",
+ "name": "Rev. 4 Sunset - Cisco IOS XE Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M04_STIG.zip",
"size": "2.08 MB"
},
{
"id": "1b250e70-229c-48dc-bc18-da3a8009805a",
- "name": "Cisco NX OS Switch STIG",
+ "name": "Rev. 4 Sunset - Cisco NX OS Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M04_STIG.zip",
"size": "2.13 MB"
},
@@ -4798,25 +4799,25 @@
},
{
"id": "5797f807-db0f-49bc-aed1-9e07c23fdaa6",
- "name": "IBM zOS STIG",
+ "name": "Rev. 4 Sunset - IBM z/OS STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_zOS_Y24M04_STIG.zip",
"size": "2.47 MB"
},
{
"id": "5269bc50-2e32-4a5d-ab17-88098d5d49de",
- "name": "MS SQL Server 2016 STIG",
+ "name": "Rev. 4 Sunset - Microsoft SQL Server 2016 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M04_STIG.zip",
"size": "1.19 MB"
},
{
"id": "dd2d6238-2ad8-4069-9ccc-32d04e7c997d",
- "name": "Red Hat Ansible Automation Controller STIG",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_Ansible_Automation_Controller_Y24M07_STIG.zip",
- "size": "\u2014"
+ "name": "Rev. 4 Sunset - Red Hat Ansible Automation Controller STIG",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_Ansible_Automation_Controller_Y24M04_STIG.zip",
+ "size": "2.23 MB"
},
{
"id": "948cf4bc-e83f-469c-95c9-24fc2cb30492",
- "name": "Samsung Android 14 with Knox 3.x STIG",
+ "name": "Rev. 4 Sunset - Samsung Android OS 14 with Knox 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_OS_14_KPE_3-x_Y24M04_STIG.zip",
"size": "3.03 MB"
},
@@ -4854,186 +4855,179 @@
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip",
"size": "4.82 MB"
},
- {
- "id": "362d1956-b179-47bc-ad4d-d9c6f92b244a",
- "name": "z/OS SRR Scripts - Ver 6, Rel 61",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R61_SRR.zip",
- "size": "\u2014",
- "version": "V6R61"
- },
{
"id": "d00160dd-37ca-4227-ada7-b4d76b2dc741",
"name": "Apache Server 2.4 Unix STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Unix_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.05 MB"
},
{
"id": "e45ee55e-3e4a-4779-9588-b0df376141f3",
"name": "Apache Server 2.4 Windows STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.85 MB"
},
{
"id": "e53e4a33-50df-46c0-a376-03849f3ccb8f",
"name": "Arista MLS EOS 4.2x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.97 MB"
},
{
"id": "9febf9e0-b36c-4585-b13f-2ce85b664a04",
"name": "Cisco ASA STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.36 MB"
},
{
"id": "14bd48a3-26b5-4829-8505-ce6a5f211190",
"name": "Cisco IOS Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.08 MB"
},
{
"id": "46baabf4-dfff-415e-b4e4-6db07bb5f17d",
"name": "Cisco IOS Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.16 MB"
},
{
"id": "62391c55-0156-4429-8d45-b883a4b5ea13",
"name": "Cisco IOS XE Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.08 MB"
},
{
"id": "e0699158-2ca4-4679-9c42-02c6fd0a675a",
"name": "Cisco IOS XE Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.13 MB"
},
{
"id": "75628e19-2a92-49fb-8017-f04b1d773af6",
"name": "Cisco IOS XR Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.02 MB"
},
{
"id": "ea7a2358-2bef-4e61-bb34-85db912e2ab1",
"name": "Cisco ISE STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ISE_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.68 MB"
},
{
"id": "59673ed8-01b5-4133-bcef-dfae188c05e6",
"name": "Cisco NX OS Switch STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.18 MB"
},
{
"id": "fc56cc0a-5b3f-4337-a0d6-17c9bb299035",
"name": "Forescout STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FS_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.42 MB"
},
{
"id": "58d67657-c61f-4207-906a-a6a24e754cb8",
"name": "Google Android 13 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_13_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "4.55 MB"
},
{
"id": "ee1cae28-5cf4-4eeb-8172-29d21f07afcb",
"name": "Google Android 14 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_14_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.96 MB"
},
{
"id": "71846796-584b-40f6-875c-957c1426fd77",
"name": "HPE 3PAR StoreServ OS STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_3PAR_StoreServ_OS_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.47 MB"
},
{
"id": "b0156215-b154-49dd-9334-138b99744aa7",
"name": "IBM Hardware Management Console (HMC) STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_HMC_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.96 MB"
},
{
"id": "e2a6d223-f0f2-4513-8d41-6e266ed7d78a",
"name": "IBM z/OS STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_zOS_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.48 MB"
},
{
"id": "28ff1e3c-00ad-4a9c-b6e7-60ac4b84ec87",
"name": "Ivanti Connect Secure STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_Connect_Secure_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.1 MB"
},
{
"id": "4eee10bd-e8e8-4709-80a1-c9880a297ec9",
"name": "Ivanti MobileIron Sentry 9.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_MI_Sentry_9-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.13 MB"
},
{
"id": "af932642-0b94-41c9-a2db-490c189e1c95",
"name": "Juniper EX Series Switches STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.51 MB"
},
{
"id": "ccf3db8d-76c6-4c90-8586-8d8e5b12fe74",
"name": "Juniper Router STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.39 MB"
},
{
"id": "4f5d08bd-ef95-4191-b362-232abdf8811b",
"name": "Juniper SRX Services Gateway STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.38 MB"
},
{
"id": "98c7ee97-874c-4e25-b332-c2481c3940f5",
"name": "Microsoft Exchange 2019 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.3 MB"
},
{
"id": "c06202cf-5a3f-4867-a7a3-4a76f75af6d0",
"name": "Microsoft IIS 10.0 Server STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.48 MB"
},
{
"id": "7fdc0233-169b-4cca-ad65-4e2d7602c639",
"name": "Microsoft SQL Server 2016 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.21 MB"
},
{
"id": "c1b21a15-b2b5-42ce-b71b-ea4aec8498a7",
"name": "Nutanix AOS 5.20.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Nutanix_AOS_5-20-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.17 MB"
},
{
"id": "4ef9dfb5-7c64-4729-8405-d56d828abb09",
"name": "Palo Alto Networks STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.27 MB"
},
{
"id": "fc0c2eb1-4216-421d-9f05-7722d0b3b172",
"name": "Samsung Android OS 13 with Knox 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_OS_13_KPE_3-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.33 MB"
},
{
"id": "25507565-743e-4d6b-9672-e3c448fcdca5",
"name": "Samsung Android OS 14 with Knox 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_OS_14_KPE_3-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "3.04 MB"
},
{
"id": "0b6fc1df-8803-431b-990e-c67b4c4c23a9",
@@ -5045,25 +5039,25 @@
"id": "4df99c5f-8852-4664-acc2-534587a2bf7a",
"name": "Sunset - Arista MultiLayer Switch DCS 7000 Series STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_DCS-7000_Series_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.28 MB"
},
{
"id": "fe81ea50-bac9-4625-95b4-8cc24cd0f305",
"name": "Sunset - CA API Gateway STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CA_API_Gateway_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.13 MB"
},
{
"id": "5d2c48f9-d604-4ba9-8700-7f75f2809386",
"name": "Sunset - DBN 6300 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_DBN-6300_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.32 MB"
},
{
"id": "Docker_Enterprise_2-x_Linux-UNIX_STIG",
"name": "Sunset - Docker Enterprise 2.x Linux/Unix STIG - Ver 2, Rel 2",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip",
- "size": "\u2014",
+ "size": "1.58 MB",
"version": "V2R2",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Docker_Enterprise_2-x_Linux-Unix_STIG_V2R2_Manual-xccdf.xml"
},
@@ -5071,67 +5065,184 @@
"id": "cda0ddf5-a6a6-4f40-927a-e2fc7b57f942",
"name": "Sunset - Google Android 12 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_12_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.04 MB"
},
{
"id": "536a8bdf-a32f-4757-8aae-5cee323b8222",
"name": "Sunset - IBM MQ Appliance V9-0 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_MQ_Appliance_v9-0_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.22 MB"
},
{
"id": "dd5d1312-1315-4ec1-89a3-398303c2136a",
"name": "Sunset - Microsoft Android 11 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Android_11_FY24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.1 MB"
},
{
"id": "9a89bcef-f334-41c4-b58b-7222d26d8cb6",
"name": "Sunset - Microsoft Exchange 2013 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2013_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1.92 MB"
},
{
"id": "acdaf535-32f0-4864-92eb-06b56924019a",
"name": "Sunset - Riverbed Steelhead CX v8 STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Riverbed_SteelHead_CX_v8_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "1000.92 KB"
},
{
"id": "67190aef-4d9d-463d-bf16-cb85122acb96",
"name": "Sunset - Samsung Android 11 Knox 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_11_Knox_3-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "3.29 MB"
},
{
"id": "966cee86-5596-460a-8c0d-15d5f3c5e569",
"name": "Sunset - Samsung Android 12 KPE 3.x STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SS_Android_12_KPE_3-x_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.2 MB"
},
{
"id": "71fc74e9-7d38-4f80-a3fe-73f303369d75",
"name": "Tanium 7.x TanOS STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Tanium_7-x_TanOS_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.12 MB"
},
{
"id": "73bb531d-fd7c-40af-87c5-c7832bf86003",
"name": "Trend Micro TippingPoint STIG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_TM_TippingPoint_Y24M07_STIG.zip",
- "size": "\u2014"
+ "size": "2.12 MB"
},
{
"id": "7f20e6f4-3ccd-46ac-9fc8-c664b181d65b",
"name": "Unified Endpoint Management Server SRG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_UEM_Y24M07_SRG.zip",
- "size": "\u2014"
+ "size": "1.4 MB"
+ },
+ {
+ "id": "5455acba-620f-433e-82e3-6fa7f9f1999a",
+ "name": "Sunset - Canonical Ubuntu 18.04 LTS STIG - Ver 2, Rel 15",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R15_STIG.zip",
+ "size": "1.23 MB",
+ "version": "V2R15"
+ },
+ {
+ "id": "Mirantis_Kubernetes_Engine_STIG",
+ "name": "Kubernetes STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "32.73 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Mirantis_Kubernetes_Engine_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Microsoft_Excel_2016",
+ "name": "Microsoft Edge STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Edge_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "24.7 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Excel_2016_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Windows_Server_2019_STIG",
+ "name": "Microsoft Windows 10 STIG Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "107.67 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V3R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Windows_PAW_STIG",
+ "name": "Microsoft Windows 11 STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_11_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "98.99 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_PAW_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Windows_Server_2016_STIG",
+ "name": "Microsoft Windows Server 2016 STIG Benchmark - Ver 2, Rel 6",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2016_V2R6_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "91.93 KB",
+ "version": "V2R6",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2016_STIG_V2R6_Manual-xccdf.xml"
+ },
+ {
+ "id": "Oracle_Linux_5_STIG",
+ "name": "Oracle Linux 8 STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "132.27 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Oracle_Linux_5_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "RHEL_7_STIG",
+ "name": "Red Hat Enterprise Linux 7 STIG Benchmark - Ver 3, Rel 15",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R15_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "93.44 KB",
+ "version": "V3R15",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_7_STIG_V3R15_Manual-xccdf.xml"
+ },
+ {
+ "id": "RHEL_8_STIG",
+ "name": "Red Hat Enterprise Linux 8 STIG Benchmark - Ver 1, Rel 13",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "130.43 KB",
+ "version": "V1R13",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml"
+ },
+ {
+ "id": "PostgreSQL_9-x_STIG",
+ "name": "Red Hat Enterprise Linux 9 STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R1_STIG_SCAP_1-3_benchmark.zip",
+ "size": "210.2 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_PGS_SQL_9-x_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Solaris_11_X86_STIG",
+ "name": "Solaris 11 SPARC STIG SCAP Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_SPARC_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "38.14 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SOL_11_x86_STIG_V3R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "Solaris_11_X86_STIG",
+ "name": "Solaris 11 x86 STIG SCAP Benchmark - Ver 3, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_X86_V3R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "39.12 KB",
+ "version": "V3R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SOL_11_x86_STIG_V3R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "113a75f1-dae5-4aa8-8d40-eeb2269f6ac2",
+ "name": "Sunset - Microsoft SQL Server 2014 STIG",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2014_Y24M07_STIG.zip",
+ "size": "1.28 MB"
+ },
+ {
+ "id": "SLES_15_STIG",
+ "name": "SUSE Linux Enterprise Server 15 Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_15_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "59.39 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml"
+ },
+ {
+ "id": "SLES_15_STIG",
+ "name": "TOSS 4 STIG Benchmark - Ver 2, Rel 1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_TOSS_4_V2R1_STIG_SCAP_1-3_Benchmark.zip",
+ "size": "103.6 KB",
+ "version": "V2R1",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SLES_15_STIG_V2R1_Manual-xccdf.xml"
},
{
- "id": "2f526c83-42ab-4a9f-8245-b766fce9f583",
- "name": "zOS RACF2 Products - Ver 6, Rel 61",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R61_Products.zip",
- "size": "\u2014",
+ "id": "49555a30-c7c4-4813-8fbe-4a5fb42dee25",
+ "name": "zOS TSS Products - Ver 6, Rel 61",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_TSS_V6R61_Products.zip",
+ "size": "8.87 MB",
"version": "V6R61"
}
]
\ No newline at end of file