Your IP : 216.73.216.220
<baseline BaselineId="Common.Linux.1" BaseOrigId="1">
<audits>
<audit
description="Ensure mounting of USB storage devices is disabled"
msid="1.1.21.1"
impact="Removing support for USB storage devices reduces the local attack surface of the server."
remediation="Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install usb-storage /bin/true` then unload the usb-storage module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="acffbbca-3e5b-9aa9-65ee-ff7b6116565f">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+usb-storage\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description="The nodev option should be enabled for all removable media."
msid="2.1"
cceid="CCE-3522-0"
severity="Important"
impact="An attacker could mount a special device (for example, block or character device) via removable media"
remediation="Add the nodev option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages."
ruleId="5c7537f2-b90b-44a4-89c9-4fca5fd79ef7">
<check distro="*" command="CheckNoMatchingLines" filter="^[^#]\S+\s+\S*(floppy|cdrom)" regex="nodev" path="/etc/fstab" />
</audit>
<audit
description="The noexec option should be enabled for all removable media."
msid="2.2"
cceid="CCE-4275-4"
severity="Important"
impact="An attacker could load executable file via removable media"
remediation="Add the noexec option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages."
ruleId="7976cc38-fddb-4913-9295-4fcac2e641c3">
<check distro="*" command="CheckNoMatchingLines" filter="^[^#]\S+\s+\S*(floppy|cdrom)" regex="noexec" path="/etc/fstab" />
</audit>
<audit
description="The nosuid option should be enabled for all removable media."
msid="2.3"
cceid="CCE-4042-8"
severity="Important"
impact="An attacker could load files that run with an elevated security context via removable media"
remediation="Add the nosuid option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages."
ruleId="cdc390c9-fb4a-47f6-90a7-4e1bd6d0e9e6">
<check distro="*" command="CheckNoMatchingLines" filter="^[^#]\S+\s+\S*(floppy|cdrom)" regex="nosuid" path="/etc/fstab" />
</audit>
<audit
description="The nodev/nosuid option should be enabled for all NFS mounts."
msid="5"
cceid="CCE-4368-7"
severity="Important"
impact="An attacker could load files that run with an elevated security context or special devices via remote file system"
remediation="Add the nosuid and nodev options to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages."
ruleId="7ca24433-3c08-4ff5-9fe2-d8e1830c5829">
<check distro="*" command="CheckNoMatchingLines" filter="nfs\s+" regex="nosuid|nodev" path="/etc/fstab" />
</audit>
<audit
description = "Disable the installation and use of file systems that are not required (cramfs)"
msid="6.1"
severity="Warning"
impact="An attacker could use a vulnerability in cramfs to elevate privileges"
remediation="Add a file to the /etc/modprob.d directory that disables cramfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="9967cbaf-44be-0dd1-92ab-d4f4034b2d28">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+cramfs\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description = "Disable the installation and use of file systems that are not required (freevxfs)"
msid="6.2"
severity="Warning"
impact="An attacker could use a vulnerability in freevxfs to elevate privileges"
remediation="Add a file to the /etc/modprob.d directory that disables freevxfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="4c066a3d-8eba-a210-3228-cff300039363">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+freevxfs\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description = "Disable the installation and use of file systems that are not required (hfs)"
msid="6.3"
severity="Warning"
impact="An attacker could use a vulnerability in hfs to elevate privileges"
remediation="Add a file to the /etc/modprob.d directory that disables hfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="39595d95-88a4-78e2-6e0e-fbde7fd95eed">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+hfs\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description = "Disable the installation and use of file systems that are not required (hfsplus)"
msid="6.4"
severity="Warning"
impact="An attacker could use a vulnerability in hfsplus to elevate privileges"
remediation="Add a file to the /etc/modprob.d directory that disables hfsplus or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="68fb9c92-1009-9e24-694e-3d996a5e09c5">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+hfsplus\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description = "Disable the installation and use of file systems that are not required (jffs2)"
msid="6.5"
severity="Warning"
impact="An attacker could use a vulnerability in jffs2 to elevate privileges"
remediation="Add a file to the /etc/modprob.d directory that disables jffs2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="859c7aa0-6eeb-6aac-6160-2fdead2537bf">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+jffs2\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description="Kernels should only be compiled from approved sources."
msid="10"
cceid="CCE-4209-3"
severity="Critical"
impact="A kernel from an unapproved source could contain vulnerabilities or backdoors to grant access to an attacker."
remediation="Install the kernel that is provided by your distro vendor."
ruleId="34e19f66-2387-4cdc-8ab2-cfac8e5865f0">
<check distro="Ubuntu" command="VerifyKernelSource" regex="-Ubuntu "/>
</audit>
<audit
description = "/etc/shadow file permissions should be set to 0400"
msid="11.1"
cceid="CCE-4130-1"
severity="Critical"
impact="An attacker can retrieve or manipulate hashed passwords from /etc/shadow if it is not correctly secured."
remediation="Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms'"
ruleId="13dabe7c-02ea-09d2-1a97-42cc7ac94eaa">
<check distro="*" command="CheckFileStats" path="/etc/shadow" owner="root" group="root,shadow" mode-mask="07177"/>
</audit>
<audit
description = "/etc/shadow- file permissions should be set to 0400"
msid="11.2"
cceid="CCE-4130-1"
severity="Critical"
impact="An attacker can retrieve or manipulate hashed passwords from /etc/shadow- if it is not correctly secured."
remediation="Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms'"
ruleId="1e941132-a3a7-5ccb-1817-50551b65202e">
<check distro="*" command="CheckFileStats" path="/etc/shadow-" owner="root" group="root,shadow" mode-mask="07177"/>
<check distro="*" command="CheckFileStatsIfExists" path="/etc/shadow.old" owner="root" group="root,shadow" mode-mask="07177"/>
</audit>
<audit
description = "/etc/gshadow file permissions should be set to 0400"
msid="11.3"
cceid="CCE-3932-1"
severity="Critical"
impact="An attacker could join security groups if this file is not properly secured"
remediation="Set the permissions and ownership of /etc/gshadow- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms'"
ruleId="0a7f2b28-8586-6cef-512e-a28f991d83cd">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/gshadow-" owner="root" group="root,shadow" mode-mask="07177"/>
</audit>
<audit
description = "/etc/gshadow- file permissions should be set to 0400"
msid="11.4"
cceid="CCE-3932-1"
severity="Critical"
impact="An attacker could join security groups if this file is not properly secured"
remediation="Set the permissions and ownership of /etc/gshadow or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms'"
ruleId="0fe59dec-472c-4b11-a221-36053a47afb6">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/gshadow" owner="root" group="root,shadow" mode-mask="07177"/>
</audit>
<audit
description="/etc/passwd file permissions should be 0644"
msid="12.1"
cceid="CCE-3566-7"
severity="Critical"
impact="An attacker could modify userIDs and login shells"
remediation="Set the permissions and ownership of /etc/passwd or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms'"
ruleId="ad534c97-1070-415c-9fc7-c92366d3fc30">
<check distro="*" command="CheckFileStats" path="/etc/passwd" owner="root" group="root" mode="644" allow-stricter="true" />
</audit>
<audit
description="/etc/group file permissions should be 0644"
msid="12.2"
cceid="CCE-3967-7"
severity="Critical"
impact="An attacker could elevate privileges by modifying group membership"
remediation="Set the permissions and ownership of /etc/group or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-group-perms"
ruleId="c41a47e9-1ba0-4e72-9f43-4659a4bfed63">
<check distro="*" command="CheckFileStats" path="/etc/group" owner="root" group="root" mode="644" allow-stricter="true" />
</audit>
<audit
description = "/etc/passwd- file permissions should be set to 0600"
msid="12.3"
cceid="CCE-3932-1"
severity="Critical"
impact="An attacker could join security groups if this file is not properly secured"
remediation="Set the permissions and ownership of /etc/passwd- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms"
ruleId="0c67cac0-1e99-8a8f-32e1-841d18b01a9a">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/passwd-" owner="root" group="root,shadow" mode="600"/>
</audit>
<audit
description="/etc/group- file permissions should be 0644"
msid="12.4"
cceid="CCE-3967-7"
severity="Critical"
impact="An attacker could elevate privileges by modifying group membership"
remediation="Set the permissions and ownership of /etc/group- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-group-perms"
ruleId="865ebb92-8e64-4e3a-aa9b-0290768aa8f1">
<check distro="*" command="CheckFileStats" path="/etc/group-" owner="root" group="root" mode="644" allow-stricter="true" />
</audit>
<audit
description = "Access to the root account via su should be restricted to the 'root' group"
msid="21"
cceid="CCE-15047-4"
severity="Critical"
impact="An attacker could escalate permissions by password guessing if su is not restricted to users in the root group."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r fix-su-permissions'. This will add the line 'auth required pam_wheel.so use_uid' to the file '/etc/pam.d/su'"
ruleId="0c77cac0-1e99-8a8f-32e1-841d18b01a9a">
<check distro="*" command="CheckMatchingLines" regex="^[\s\t]*auth\s+required\s+pam_wheel.so(\s+.*)?\suse_uid" path="/etc/pam.d/su"/>
</audit>
<audit
description="The 'root' group should exist, and contain all members who can su to root"
msid="22"
cceid="CCE-14088-9"
severity="Critical"
impact="An attacker could escalate permissions by password guessing if su is not restricted to users in the root group."
remediation="Create the root group via the command 'groupadd -g 0 root'"
ruleId="8cac0c32-1add-42b9-9300-5ccb9f91aab3">
<check distro="*" command="CheckMatchingLines" regex="^root:x:0:" path="/etc/group" />
</audit>
<audit
description="All accounts should have a password"
msid="23.2"
cceid="CCE-4238-2"
severity="Critical"
impact="An attacker can login to accounts with no password and execute arbitrary commands."
remediation="Use the passwd command to set passwords for all accounts"
ruleId="ca9d29b7-79bd-4c99-85e2-1454295c3c8e">
<check distro="*" command="CheckNoMatchingLines" regex="^[^:]+::" path="/etc/shadow" />
</audit>
<audit
description="Accounts other than root must have unique UIDs greater than zero(0)"
msid="24"
cceid="CCE-4009-7"
severity="Critical"
impact="If an account other than root has uid zero, an attacker could compromise the account and gain root privileges."
remediation="Assign unique, non-zero uids to all non-root accounts using 'usermod -u'"
ruleId="7de0f0e6-f97b-4e12-8f9e-c6538ca5a85b">
<check distro="*" command="CheckNoMatchingLines" filter="^root" regex="^[^:]:[^:]:0:" path="/etc/shadow" />
</audit>
<audit
description="Randomized placement of virtual memory regions should be enabled"
msid="25"
cceid="CCE-4146-7"
severity="Critical"
impact="An attacker could write executable code to known regions in memory resulting in elevation of privilege"
remediation="Add the value '1' or '2' to the file '/proc/sys/kernel/randomize_va_space'"
ruleId="d790e942-efd3-42e6-a3a5-9eb1d651a588">
<check distro="*" command="CheckMatchingLines" regex="^(1|2)$" path="/proc/sys/kernel/randomize_va_space" />
</audit>
<audit
description="Kernel support for the XD/NX processor feature should be enabled"
msid="26"
cceid="CCE-4172-3"
severity="Critical"
impact="An attacker could cause a system to executable code from data regions in memory resulting in elevation of privilege."
remediation="Confirm the file '/proc/cpuinfo' contains the flag 'nx'"
ruleId="49c89437-d116-4d84-a91d-0dd59daafa0d">
<check distro="*" command="CheckMatchingLines" regex="^\s*flags.* nx[ $]" path="/proc/cpuinfo" />
</audit>
<audit
description = "The '.' should not appear in root's $PATH"
msid="27.1"
cceid="CCE-3301-9"
severity="Critical"
impact="An attacker could elevate privileges by placing a malicious file in root's $PATH"
remediation="Modify the 'export PATH=' line in /root/.profile"
ruleId="d66f8908-7b9f-77fc-18d4-af85197e0aeb">
<check distro="*" command="CheckNotMatchEnvVariable" user="root" regex="^\.:|:\.:|:\.$" variable="PATH"/>
</audit>
<audit
description = "User home directories should be mode 750 or more restrictive"
msid="28"
cceid="CCE-4090-7"
severity="Critical"
impact="An attacker could retrieve sensitive information from the home folders of other users."
remediation="Set home folder permissions to 750 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-home-dir-permissions"
ruleId="0754488a-75c7-a4e8-0fb4-9212f771623f">
<check distro="*" command="CheckHomeDirectoryPermissions"/>
</audit>
<audit
description = "The default umask for all users should be set to 077 in login.defs"
msid="29"
cceid="CCE-14847-8"
severity="Critical"
impact="An attacker could retrieve sensitive information from files owned by other users."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r set-default-user-umask'. This will add the line 'UMASK 077' to the file '/etc/login.defs'"
ruleId="0753438a-75c7-a4e8-0fb4-9213f771623f">
<check distro="*" command="CheckMatchingLines" regex="^UMASK\s+077" path="/etc/login.defs"/>
</audit>
<audit
description="All bootloaders should have password protection enabled."
msid="31"
cceid="CCE-3818-2"
severity="Warning"
impact="An attacker with physical access could modify bootloader options, yielding unrestricted system access"
remediation="Add a boot loader password to the file '/boot/grub/grub.cfg'"
ruleId="8a4f5ce8-41c4-710c-631e-fbc36a2fa53e">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^password\s+--encrypted\s+\S+" path="/boot/grub/grub.conf"/>
<check distro="*" command="CheckMatchingLinesIfExists" regex="^[\s]*password(?:(?:_pbkdf2\s+\S+)|(?:\s+--encrypted))\s+\S+" path="/boot/grub/grub.cfg"/>
<check distro="*" command="CheckMatchingLinesIfExists" regex="^[\s]*password(?:(?:_pbkdf2\s+\S+)|(?:\s+--encrypted))\s+\S+" path="/boot/grub2/grub.cfg"/>
</audit>
<audit
description="Ensure permissions on bootloader config are configured"
msid="31.1"
severity="Important"
impact="Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
remediation="Set the owner and group of your bootloader to root:root and permissions to 0400 or run '/opt/microsoft/omsagent/plugin/omsremediate -r bootloader-permissions"
ruleId="091f0150-80d1-0e2d-7353-8cdb77fc6aa1">
<check distro="*" command="CheckFileStatsIfExists" path="/boot/grub/grub.conf" owner="root" group="root" mode="400" allow-stricter="true"/>
<check distro="*" command="CheckFileStatsIfExists" path="/boot/grub/grub.cfg" owner="root" group="root" mode="400" allow-stricter="true"/>
<check distro="*" command="CheckFileStatsIfExists" path="/boot/grub2/grub.cfg" owner="root" group="root" mode="400" allow-stricter="true"/>
</audit>
<audit
description="Ensure authentication required for single user mode."
msid="33"
impact="Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
remediation="run the following command to set a password for the root user: `passwd root`"
ruleId="13a48ca1-92bc-63a1-a4de-b984375fa332">
<check distro="*" command="CheckNoMatchingLines" path="/etc/shadow" regex="^root:\s*:"/>
</audit>
<audit
description="Ensure packet redirect sending is disabled."
msid="38.3"
cceid="CCE-4155-8"
severity="Critical"
impact="An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
remediation="set the following parameters in /etc/sysctl.conf: 'net.ipv4.conf.all.send_redirects = 0' and 'net.ipv4.conf.default.send_redirects = 0' or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-send-redirects"
ruleId="5ea9d618-1af4-4e59-65be-ffac234872e9">
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.all\.send_redirects\s*=\s*0\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.default\.send_redirects\s*=\s*0\s*$"/>
</audit>
<audit
description = "Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.accept_redirects = 0)"
msid="38.4"
cceid="CCE-4186-3"
severity="Critical"
impact="An attacker could alter this system's routing table, redirecting traffic to an alternate destination"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-accept-redirects'."
ruleId="a492f72a-6b79-8a9d-3b4f-3fface972ab7">
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.all\.accept_redirects\s*=\s*0\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv6\.conf\.all\.accept_redirects\s*=\s*0\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.default\.accept_redirects\s*=\s*0\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv6\.conf\.default\.accept_redirects\s*=\s*0\s*$"/>
</audit>
<audit
description = "Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.secure_redirects = 0)"
msid="38.5"
cceid="CCE-4151-7"
severity="Critical"
impact="An attacker could alter this system's routing table, redirecting traffic to an alternate destination"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-secure-redirects'"
ruleId="2451c34e-218d-349e-10b2-54c3591e6edf">
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.default\.secure_redirects\s*=\s*0\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.all\.secure_redirects\s*=\s*0\s*$"/>
</audit>
<audit
description="Accepting source routed packets should be disabled for all interfaces. (net.ipv4.conf.all.accept_source_route = 0)"
msid="40.1"
cceid="CCE-4236-6"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run `sysctl -w key=value` and set to a compliant value."
ruleId="4ecae4e6-a3e2-44f5-9985-ea2a21962450">
<check distro="*" command="CheckMatchingLines" regex="^0$" path="/proc/sys/net/ipv4/conf/all/accept_source_route" />
</audit>
<audit
description="Accepting source routed packets should be disabled for all interfaces. (net.ipv6.conf.all.accept_source_route = 0)"
msid="40.2"
cceid="CCE-4236-6"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run `sysctl -w key=value` and set to a compliant value."
ruleId="b659c9f6-a076-4886-9048-db10c349b9fe">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^0$" path="/proc/sys/net/ipv6/conf/all/accept_source_route" />
</audit>
<audit
description = "The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv4.conf.default.accept_source_route = 0)"
msid="42.1"
cceid="CCE-4091-5"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run `sysctl -w key=value` and set to a compliant value."
ruleId="63613c25-8ae1-4792-9572-02bdc941febf">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^0$" path="/proc/sys/net/ipv4/conf/default/accept_source_route" />
</audit>
<audit
description = "The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv6.conf.default.accept_source_route = 0)"
msid="42.2"
cceid="CCE-4091-5"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run `sysctl -w key=value` and set to a compliant value."
ruleId="e0b5cd14-6953-4cb9-9f79-2957445686cf">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^0$" path="/proc/sys/net/ipv6/conf/default/accept_source_route" />
</audit>
<audit
description="Ignoring bogus ICMP responses to broadcasts should be enabled. (net.ipv4.icmp_ignore_bogus_error_responses = 1)"
msid="43"
cceid="CCE-4133-5"
severity="Critical"
impact="An attacker could perform an ICMP attack resulting in DoS"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-ignore-bogus-error-responses'"
ruleId="88acc143-2f76-4418-9aa9-d0d5f244ab5f">
<check distro="*" command="CheckMatchingLines" regex="^1$" path="/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" />
</audit>
<audit
description="Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled. (net.ipv4.icmp_echo_ignore_broadcasts = 1)"
msid="44"
cceid="CCE-3644-2"
severity="Critical"
impact="An attacker could perform an ICMP attack resulting in DoS"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-echo-ignore-broadcasts'"
ruleId="f5a5926d-9c64-41fa-8220-5bc0f8213550">
<check distro="*" command="CheckMatchingLines" regex="^1$" path="/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" />
</audit>
<audit
description = "Logging of martian packets (those with impossible addresses) should be enabled for all interfaces. (net.ipv4.conf.all.log_martians = 1)"
msid="45.1"
cceid="CCE-4320-8"
severity="Critical"
impact="An attacker could send traffic from spoofed addresses without being detected"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-log-martians'"
ruleId="dc1c08a3-91e8-1d60-9210-c18bdebd8778">
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.all\.log_martians\s*=\s*1\s*$"/>
<check distro="*" command="CheckSysctlOutput" regex="^net\.ipv4\.conf\.default\.log_martians\s*=\s*1\s*$"/>
</audit>
<audit
description="Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1)"
msid="46.1"
cceid="CCE-4080-8"
severity="Critical"
impact="The system will accept traffic from addresses that are unroutable."
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter'"
ruleId="177e6190-1026-49fb-a1f9-fd5b10302280">
<check distro="*" command="CheckMatchingLines" regex="^1$" path="/proc/sys/net/ipv4/conf/all/rp_filter" />
</audit>
<audit
description="Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1)"
msid="46.2"
cceid="CCE-3840-6"
severity="Critical"
impact="The system will accept traffic from addresses that are unroutable."
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter'"
ruleId="c28d5519-6e3a-466f-8d8c-b351851dfc78">
<check distro="*" command="CheckMatchingLines" regex="^1$" path="/proc/sys/net/ipv4/conf/default/rp_filter" />
</audit>
<audit
description="TCP SYN cookies should be enabled. (net.ipv4.tcp_syncookies = 1)"
msid="47"
cceid="CCE-4265-5"
severity="Critical"
impact="An attacker could perform a DoS over TCP"
remediation="Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-tcp-syncookies'"
ruleId="db6ca14e-26c5-48cd-a6b7-fc953861043c">
<check distro="*" command="CheckMatchingLines" regex="^1$" path="/proc/sys/net/ipv4/tcp_syncookies" />
</audit>
<audit
description="The system should not act as a network sniffer."
msid="48"
cceid="CCE-15013-6"
severity="Warning"
impact="An attacker may use promiscuous interfaces to sniff network traffic"
remediation="Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry."
ruleId="45766f27-5af3-453d-bade-f8195925cde1">
<check distro="*" command="CheckNoPromiscInterfaces" />
</audit>
<audit
description="All wireless interfaces should be disabled."
msid="49"
cceid="CCE-4276-2"
severity="Warning"
impact="An attacker could create a fake AP to intercept transmissions."
remediation="Confirm all wireless interfaces are disabled in '/etc/network/interfaces'"
ruleId="8def2d0c-303a-4c0b-858c-319f80f7c814">
<check distro="*" command="CheckNoWirelessInterfaces" />
</audit>
<audit
description="The IPv6 protocol should be enabled."
msid="50"
cceid="CCE-18455-6"
severity="Informational"
impact="This is necessary for communication on modern networks."
remediation="Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0"
ruleId="f04b1de8-1fd3-40da-a27f-39b7ea97bf8c">
<check distro="*" command="CheckFileExists" path="/proc/net/if_inet6" />
</audit>
<audit
description="Ensure DCCP is disabled"
msid="54"
impact="If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
remediation="Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="93d2736e-7329-8806-3ef6-e71bb2203d11">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+dccp\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description="Ensure SCTP is disabled"
msid="55"
impact="If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
remediation="Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install sctp /bin/true` then unload the sctp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="78228616-15d4-33fe-0357-88e77f228f05">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+sctp\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description="Disable support for RDS."
msid="56"
cceid="CCE-14027-7"
severity="Warning"
impact="An attacker could use a vulnerability in RDS to compromise the system"
remediation="Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install rds /bin/true` then unload the rds module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="d9ed5e76-2348-4409-94dd-c76352407fe8">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+rds\s+/bin/true" path="/etc/modprobe.d/" />
</audit>
<audit
description="Ensure TIPC is disabled"
msid="57"
impact="If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
remediation="Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install tipc /bin/true` then unload the tipc module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="8ace9b14-820f-6e0d-37d8-c6df950454cd">
<check distro="*" command="CheckMatchingLinesInDir" regex="^install\s+tipc\s+/bin/true" path="/etc/modprobe.d/"/>
</audit>
<audit
description="The syslog, rsyslog, or syslog-ng package should be installed."
msid="61"
cceid="CCE-17742-8"
severity="Important"
impact="Reliability and security issues will not be logged, preventing proper diagnosis."
remediation="Install the rsyslog package, or run '/opt/microsoft/omsagent/plugin/omsremediate -r install-rsyslog'"
ruleId="8720959b-c356-4eaa-bb4f-720fb8006183">
<check distro="*" command="CheckPackageInstalledRegexp" packagename="^r?syslog(-ng)?$">
<dependency type="PackageNotInstalled">systemd</dependency>
</check>
</audit>
<audit
description="The systemd-journald service should be configured to persists log messages"
msid="61.1"
severity="Important"
impact="Reliability and security issues will not be logged, preventing proper diagnosis."
remediation="Create /var/log/journal and ensure that Storage in journald.conf is auto or persistent"
ruleId="7b3aa0e4-0464-4a0e-a265-9a585c4f266e">
<check distro="*" command="CheckNoMatchingLines" regex="^Storage\s+=\s+(volatile|none)" path="/etc/systemd/journald.conf">
<dependency type="PackageInstalled">systemd</dependency>
</check>
<check distro="*" command="CheckFileStats" path="/var/log/journal" owner="root" mode="2775" file-type="dir" allow-stricter="true">
<dependency type="PackageInstalled">systemd</dependency>
</check>
</audit>
<audit
description="Ensure a logging service is enabled"
msid="62"
impact="It is imperative to have the ability to log events on a node."
remediation="Enable the rsyslog package or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rsyslog'"
ruleId="4c4e42e2-4cd2-3eaf-147b-ea4f61164d3e">
<check distro="*" command="CheckServiceStatus" service="rsyslog" expect="running">
<dependency type="PackageNotInstalled">syslog-ng</dependency>
<dependency type="PackageNotInstalled">systemd</dependency>
</check>
<check distro="*" command="CheckServiceStatus" service="syslog-ng" expect="running">
<dependency type="PackageNotInstalled">rsyslog</dependency>
<dependency type="PackageNotInstalled">systemd</dependency>
</check>
<check distro="*" command="CheckServiceStatus" service="systemd-journald" expect="running">
<dependency type="PackageInstalled">systemd</dependency>
</check>
</audit>
<audit
description="File permissions for all rsyslog log files should be set to 640 or 600."
msid="63"
cceid="CCE-18095-0"
severity="Important"
impact="An attacker could hide activity by manipulating logs"
remediation="Add the line '$FileCreateMode 0640' to the file '/etc/rsyslog.conf'"
ruleId="fcc86485-487a-4644-87a0-f29f1b1cd28b">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^[\s]*.FileCreateMode\s+06[04]0" path="/etc/rsyslog.conf" />
<check distro="*" command="CheckMatchingLinesIfExists" filter="^options\s*{" regex="perm\(06(4|0)0\);" path="/etc/syslog-ng/syslog-ng.conf" />
</audit>
<audit
description="All rsyslog log files should be owned by the adm group."
msid="64"
cceid="CCE-18240-2"
severity="Important"
impact="An attacker could hide activity by manipulating logs"
remediation="Add the line '$FileGroup adm' to the file '/etc/rsyslog.conf'"
ruleId="c1d99621-913e-45f7-96e1-a60b1af83015">
<check distro="Ubuntu|Debian" command="CheckMatchingLinesIfExists" regex="^[\s]*.FileGroup\s+adm" path="/etc/rsyslog.conf" />
</audit>
<audit
description="All rsyslog log files should be owned by the syslog user."
msid="65"
cceid="CCE-17857-4"
severity="Important"
impact="An attacker could hide activity by manipulating logs"
remediation="Add the line '$FileOwner syslog' to the file '/etc/rsyslog.conf' or run '/opt/microsoft/omsagent/plugin/omsremediate -r syslog-owner"
ruleId="2830790c-5b3f-43cb-be6b-7572e441acc1">
<check distro="*" command="CheckMatchingLines" regex="^[\s]*.FileOwner\s+syslog" path="/etc/rsyslog.conf">
<dependency type="FileExists">/etc/rsyslog.conf</dependency>
</check>
</audit>
<audit
description="Rsyslog should not accept remote messages."
msid="67"
cceid="CCE-17639-6"
severity="Important"
impact="An attacker could inject messages into syslog, causing a DoS or a distraction from other activity"
remediation="Remove the lines '$ModLoad imudp' and '$ModLoad imtcp' from the file '/etc/rsyslog.conf'"
ruleId="1e9567e1-d96d-4f90-be1a-0809947e789c">
<check distro="!SLES" command="CheckNoMatchingLinesIfExists" regex="^[\s]*.ModLoad\s+im(udp|tcp)" path="/etc/rsyslog.conf" />
</audit>
<audit
description="The logrotate (syslog rotater) service should be enabled."
msid="68"
cceid="CCE-4182-2"
severity="Critical"
impact="Logfiles could grow unbounded and consume all disk space"
remediation="Install the logrotate package and confirm the logrotate cron entry is active (chmod 755 /etc/cron.daily/logrotate; chown root:root /etc/cron.daily/logrotate)"
ruleId="2d2355e7-7b07-4c0e-a395-16499c27ae94">
<check distro="*" command="CheckFileStats" path="/etc/cron.daily/logrotate" owner="root" group="root" mode="755" allow-stricter="true">
<dependency type="SystemDUnitNotExists">logrotate.timer</dependency>
</check>
<check distro="*" command="CheckServiceStatus" service="logrotate.timer" expect="running">
<dependency type="SystemDUnitExists">logrotate.timer</dependency>
</check>
</audit>
<audit
description="The rlogin service should be disabled."
msid="69"
cceid="CCE-3537-8"
severity="Critical"
impact="An attacker could gain access, bypassing strict authentication requirements"
remediation="Remove the inetd service."
ruleId="f57ef648-bdaa-45a3-9e3a-f4649c48896f">
<check distro="*" command="CheckNoMatchingLinesIfExists" regex="^[\s\t]*login" path="/etc/inetd.conf" />
</audit>
<audit
description="Disable inetd unless required. (inetd)"
msid="70.1"
cceid="CCE-4234-1"
severity="Important"
impact="An attacker could exploit a vulnerability in an inetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove inetd)"
ruleId="a8a37e7f-9aae-41cf-8313-42d1f69506b9">
<check distro="*" command="CheckServiceDisabled" service="inetd" />
</audit>
<audit
description="Disable xinetd unless required. (xinetd)"
msid="70.2"
cceid="CCE-4252-3"
severity="Important"
impact="An attacker could exploit a vulnerability in a xinetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove xinetd)"
ruleId="1d9557b2-b58f-4f81-bde9-4f9b08a3b2f1">
<check distro="*" command="CheckServiceDisabled" service="xinetd" />
</audit>
<audit
description="Install inetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required)"
msid="71.1"
cceid="CCE-4023-8"
severity="Important"
impact="An attacker could exploit a vulnerability in an inetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove inetd)"
ruleId="d6bcd055-26cf-416e-a395-a9169b79f74c">
<check distro="*" command="CheckPackageNotInstalled" packagename="inetd" />
</audit>
<audit
description="Install xinetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required)"
msid="71.2"
cceid="CCE-4164-0"
severity="Important"
impact="An attacker could exploit a vulnerability in an xinetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove xinetd)"
ruleId="0552f68e-b759-4aa7-a211-d48b2f6d2117">
<check distro="*" command="CheckPackageNotInstalled" packagename="xinetd" />
</audit>
<audit
description="The telnet service should be disabled."
msid="72"
cceid="CCE-3390-2"
severity="Critical"
impact="An attacker could eavesdrop or hijack unencrypted telnet sessions"
remediation="Remove or comment out the telnet entry in the file '/etc/inetd.conf'"
ruleId="0617b91c-2a28-42bd-b5b3-7562555b41ed">
<check distro="*" command="CheckNoMatchingLinesIfExists" regex="^[\s\t]*telnet" path="/etc/inetd.conf" />
</audit>
<audit
description="All telnetd packages should be uninstalled."
msid="73"
cceid="CCE-4330-7"
severity="Critical"
impact="An attacker could eavesdrop or hijack unencrypted telnet sessions"
remediation="Uninstall any telnetd packages"
ruleId="6c716f88-a252-4fe9-9c5c-ba9236a80beb">
<check distro="*" command="CheckPackageNotInstalledRegexp" packagename="[a-z-]*telnetd" />
</audit>
<audit
description="The rcp/rsh service should be disabled."
msid="74"
cceid="CCE-4141-8"
severity="Critical"
impact="An attacker could eavesdrop or hijack unencrypted sessions"
remediation="Remove or comment out the shell entry in the file '/etc/inetd.conf'"
ruleId="dda66a42-30d1-4621-9565-f09628ac8047">
<check distro="*" command="CheckNoMatchingLinesIfExists" regex="^[\s\t]*shell" path="/etc/inetd.conf" />
</audit>
<audit
description="The rsh-server package should be uninstalled."
msid="77"
cceid="CCE-4308-3"
severity="Critical"
impact="An attacker could eavesdrop or hijack unencrypted rsh sessions"
remediation="Uninstall the rsh-server package (apt-get remove rsh-server)"
ruleId="b256491f-f804-4c44-bfa4-057dd2f44c30">
<check distro="*" command="CheckPackageNotInstalled" packagename="rsh-server" />
</audit>
<audit
description="The ypbind service should be disabled."
msid="78"
cceid="CCE-3705-1"
severity="Important"
impact="An attacker could retrieve sensitive information from the ypbind service"
remediation="Uninstall the nis package (apt-get remove nis)"
ruleId="58f5187e-88bd-4f24-8570-2c295d5c93c6">
<check distro="*" command="CheckServiceDisabled" service="nis" />
</audit>
<audit
description="The nis package should be uninstalled."
msid="79"
cceid="CCE-4348-9"
severity="Important"
impact="An attacker could retrieve sensitive information from the NIS service"
remediation="Uninstall the nis package (apt-get remove nis)"
ruleId="7da0b32e-ced5-42eb-aa1e-6df90281e59c">
<check distro="*" command="CheckPackageNotInstalled" packagename="nis" />
</audit>
<audit
description="The tftp service should be disabled."
msid="80"
cceid="CCE-4273-9"
severity="Important"
impact="An attacker could eavesdrop or hijack an unencrypted session"
remediation="Remove the tftp entry from the file '/etc/inetd.conf'"
ruleId="cb086aef-fec2-467f-a03b-627c00020926">
<check distro="*" command="CheckNoMatchingLinesIfExists" regex="^[\s\t]*tftp" path="/etc/inetd.conf" />
</audit>
<audit
description="The tftpd package should be uninstalled."
msid="81"
cceid="CCE-3916-4"
severity="Important"
impact="An attacker could eavesdrop or hijack an unencrypted session"
remediation="Uninstall the tftpd package (apt-get remove tftpd)"
ruleId="ae9ce111-ef4d-4d34-8f76-fdc38263f153">
<check distro="*" command="CheckPackageNotInstalled" packagename="tftpd" />
</audit>
<audit
description="The readahead-fedora package should be uninstalled."
msid="82"
cceid="CCE-4421-4"
severity="Informational"
impact="The package creates no substantial exposure, but also adds no substantial benefit."
remediation="Uninstall the readahead-fedora package (apt-get remove readahead-fedora)"
ruleId="dbae0d26-55e9-49d5-8782-86cb7412f99f">
<check distro="*" command="CheckPackageNotInstalled" packagename="readahead-fedora" />
</audit>
<audit
description="The bluetooth/hidd service should be disabled."
msid="84"
cceid="CCE-4355-4"
severity="Warning"
impact="An attacker could intercept or manipulate wireless communications."
remediation="Uninstall the bluetooth package (apt-get remove bluetooth)"
ruleId="9f107bb8-eaf3-445d-acbb-7ab635b442e9">
<check distro="*" command="CheckServiceDisabled" service="bluetooth" />
</audit>
<audit
description="The isdn service should be disabled."
msid="86"
cceid="CCE-4286-1"
severity="Warning"
impact="An attacker could use a modem to gain unauthorized access"
remediation="Uninstall the isdnutils-base package (apt-get remove isdnutils-base)"
ruleId="51ebf409-911a-4d92-9d3a-1e331e7e4b27">
<check distro="*" command="CheckServiceDisabled" service="isdnutils-base" />
</audit>
<audit
description="The isdnutils-base package should be uninstalled."
msid="87"
cceid="CCE-14825-4"
severity="Warning"
impact="An attacker could use a modem to gain unauthorized access"
remediation="Uninstall the isdnutils-base package (apt-get remove isdnutils-base)"
ruleId="49e5cb77-6272-4323-9c19-01fca3e12b9a">
<check distro="*" command="CheckPackageNotInstalled" packagename="isdnutils-base" />
</audit>
<audit
description="The kdump service should be disabled."
msid="88"
cceid="CCE-3425-6"
severity="Important"
impact="An attacker could analyze a previous system crash to retrieve sensitive information"
remediation="Uninstall the kdump-tools package (apt-get remove kdump-tools)"
ruleId="290d7102-c4e3-4e88-863d-6ddc7e952a5a">
<check distro="*" command="CheckServiceDisabled" service="kdump-tools" />
</audit>
<audit
description="Zeroconf networking should be disabled."
msid="89"
cceid="CCE-14054-1"
severity="Critical"
impact="An attacker could abuse this to gain information on networked systems, or spoof DNS requests due to flaws in its trust model"
remediation="For RedHat, CentOS, and Oracle: Add `NOZEROCONF=yes or no` to /etc/sysconfig/network. For all other distros: Remove any 'ipv4ll' entries in the file '/etc/network/interfaces' or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-zeroconf'"
ruleId="083550af-f4fe-4e1a-a304-dac894d58908">
<check distro="and|!RedHat|!CentOS|!Oracle|!SLES" command="CheckNoMatchingLinesIfExists" regex="ipv4ll" path="/etc/network/interfaces" />
<!--Zeroconf not available on SLES-->
<check distro="RedHat|CentOS|Oracle" command="CheckMatchingLines" regex="^NOZEROCONF=\w+\s*$" path="/etc/sysconfig/network" />
<!--Zeroconf status unknown for Mariner -->
</audit>
<audit
description="The crond service should be enabled."
msid="90"
cceid="CCE-4324-0"
severity="Critical"
impact="Cron is required by almost all systems for regular maintenance tasks"
remediation="Install the cron package (apt-get install -y cron) and confirm the file '/etc/init/cron.conf' contains the line 'start on runlevel [2345]'"
ruleId="80302f61-d760-4165-a92b-a789e579380f">
<check distro="Ubuntu|Debian|SLES" command="CheckServiceEnabled" service="cron" />
<check distro="CentOS|RedHat|Oracle|Mariner" command="CheckServiceEnabled" service="crond" />
</audit>
<audit
description="File permissions for /etc/anacrontab should be set to root:root 600."
msid="91"
cceid="CCE-4304-2"
severity="Critical"
impact="An attacker could manipulate this file to prevent scheduled tasks or execute malicious tasks"
remediation="Set the ownership and permissions on /etc/anacrontab or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-anacrontab-perms'"
ruleId="8199ae98-8d9c-4a26-88ca-e6d9b87d3644">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/anacrontab" owner="root" group="root" mode="600" allow-stricter="true" />
</audit>
<audit
description="Ensure permissions on /etc/cron.d are configured."
msid="93"
impact="Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
remediation="Set the owner and group of /etc/chron.d to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms'"
ruleId="efa30987-4c67-73f5-979f-cb50f79466de">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/cron.d" owner="root" group="root" mode="700" allow-stricter="true"/>
</audit>
<audit
description="Ensure permissions on /etc/cron.daily are configured."
msid="94"
impact="Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
remediation="Set the owner and group of /etc/chron.daily to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms"
ruleId="0cc35843-7687-60cf-5280-bb98cf9a87c2">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/cron.daily" owner="root" group="root" mode="700" allow-stricter="true"/>
</audit>
<audit
description="Ensure permissions on /etc/cron.hourly are configured."
msid="95"
impact="Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
remediation="Set the owner and group of /etc/chron.hourly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms"
ruleId="ecdce8a2-9986-5833-8211-baf1938c1940">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/cron.hourly" owner="root" group="root" mode="700" allow-stricter="true"/>
</audit>
<audit
description="Ensure permissions on /etc/cron.monthly are configured."
msid="96"
impact="Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
remediation="Set the owner and group of /etc/chron.monthly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms"
ruleId="b5e94c1f-4d12-8bde-4c5e-98c651bd4430">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/cron.monthly" owner="root" group="root" mode="700" allow-stricter="true"/>
</audit>
<audit
description="Ensure permissions on /etc/cron.weekly are configured."
msid="97"
impact="Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
remediation="Set the owner and group of /etc/chron.weekly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms"
ruleId="61417e01-8cc4-86ab-0e3b-867d42dea66d">
<check distro="*" command="CheckFileStatsIfExists" path="/etc/cron.weekly" owner="root" group="root" mode="700" allow-stricter="true"/>
</audit>
<audit
description="The avahi-daemon service should be disabled."
msid="114"
cceid="CCE-4365-3"
severity="Warning"
impact="An attacker could use a vulnerability in the avahi daemon to gain access"
remediation="Disable the avahi-daemon service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-avahi-daemon'"
ruleId="c3bf78d8-43a0-4768-b790-c940621057b6">
<check distro="*" command="CheckServiceDisabled" service="avahi-daemon" />
</audit>
<audit
description="The cups service should be disabled."
msid="115"
cceid="CCE-4425-5"
severity="Warning"
impact="An attacker could use a flaw in the cups service to elevate privileges"
remediation="Disable the cups service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-cups'"
ruleId="4854666c-061b-4945-8a25-19133b8d5c7d">
<check distro="*" command="CheckServiceDisabled" service="cups" />
</audit>
<audit
description="The isc-dhcpd service should be disabled."
msid="116"
cceid="CCE-4336-4"
severity="Important"
impact="An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation."
remediation="Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server)"
ruleId="d56a6c3f-3ad9-4263-a38a-24b7ae4ea918">
<check distro="*" command="CheckServiceDisabled" service="isc-dhcp-server" />
<check distro="*" command="CheckServiceDisabled" service="dhcpd" />
</audit>
<audit
description="The isc-dhcp-server package should be uninstalled."
msid="117"
cceid="CCE-4464-4"
severity="Important"
impact="An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation."
remediation="Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server)"
ruleId="660fa012-ca99-4314-a2a8-11728020bac7">
<check distro="*" command="CheckPackageNotInstalled" packagename="isc-dhcp-server" />
</audit>
<audit
description="The sendmail package should be uninstalled."
msid="120"
cceid="CCE-14495-6"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Uninstall the sendmail package (apt-get remove sendmail)"
ruleId="43356a32-24bb-401c-9746-a27b2be668fa">
<check distro="*" command="CheckPackageNotInstalled" packagename="sendmail" />
</audit>
<audit
description="The postfix package should be uninstalled."
msid="121"
cceid="CCE-14068-1"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Uninstall the postfix package (apt-get remove postfix) or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-postfix'"
ruleId="f56bf32f-528f-48b3-9f82-62f5ff4e9787">
<check distro="*" command="CheckPackageNotInstalled" packagename="postfix" />
</audit>
<audit
description="Postfix network listening should be disabled as appropriate."
msid="122"
cceid="CCE-15018-5"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Add the line 'inet_interfaces localhost' to the file '/etc/postfix/main.cf'"
ruleId="d0cc4e35-70a1-4ee5-b572-3b969201562e">
<check distro="*" command="CheckMatchingLinesIfExists" regex="^[\s\t]*inet_interfaces\s*=\s*localhost\s*$" path="/etc/postfix/main.cf" />
</audit>
<audit
description="The ldap service should be disabled."
msid="124"
cceid="CCE-3501-4"
severity="Important"
impact="An attacker could manipulate the LDAP service on this host to distribute false data to LDAP clients"
remediation="Uninstall the slapd package (apt-get remove slapd)"
ruleId="b577b358-6ec9-4ed7-b0df-259e44713b16">
<check distro="*" command="CheckPackageNotInstalled" packagename="slapd" />
</audit>
<audit
description="The rpcgssd service should be disabled."
msid="126"
cceid="CCE-3535-2"
severity="Important"
impact="An attacker could use a flaw in rpcgssd/nfs to gain access"
remediation="Disable the rpcgssd service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcgssd'"
ruleId="9c11dc9f-ab7e-4c3f-923f-5a8fc4e97cb9">
<check distro="*" command="CheckServiceDisabled" service="rpcgssd" />
</audit>
<audit
description="The rpcidmapd service should be disabled."
msid="127"
cceid="CCE-3568-3"
severity="Important"
impact="An attacker could use a flaw in idmapd/nfs to gain access"
remediation="Disable the rpcidmapd service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcidmapd'"
ruleId="b600d670-5b01-4458-9143-8aa7cd25dadc">
<check distro="*" command="CheckServiceDisabled" service="rpcidmapd" />
</audit>
<audit
description="The portmap service should be disabled."
msid="129.1"
cceid="CCE-4550-0"
severity="Important"
impact="An attacker could use a flaw in portmap to gain access"
remediation="Disable the rpcbind service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcbind'"
ruleId="f4a80328-1d67-45ed-b915-274d2e6c699e">
<check distro="Debian|Ubuntu|Oracle|CentOS<7|RedHat<7|SLES=11" command="CheckServiceDisabled" service="rpcbind" />
<check distro="CentOS>=7|RedHat>=7|SLES>11|Mariner" command="CheckServiceDisabled" service="rpcbind.service,rpcbind.socket" />
</audit>
<audit
description="The Network File System (NFS) service should be disabled."
msid="129.2"
cceid="CCE-4550-1"
severity="Important"
impact="An attacker could use nfs to mount shares and execute/copy files."
remediation="Disable the nfs service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-nfs'"
ruleId="ee372ff3-9221-498b-b467-7406bf421168">
<check distro="*" command="CheckServiceDisabled" service="nfs-server" />
</audit>
<audit
description="The rpcsvcgssd service should be disabled."
msid="130"
cceid="CCE-4491-7"
severity="Important"
impact="An attacker could use a flaw in rpcsvcgssd to gain access"
remediation="Remove the line 'NEED_SVCGSSD = yes' from the file '/etc/inetd.conf'"
ruleId="78963287-11b9-471b-9122-e6829e105989">
<check distro="*" command="CheckNoMatchingLinesIfExists" regex="^[\s\t]*NEED_SVCGSSD\s*=\s*"yes"" path="/etc/inetd.conf" />
</audit>
<audit
description="The named service should be disabled."
msid="131"
cceid="CCE-3578-2"
severity="Warning"
impact="An attacker could use the DNS service to distribute false data to clients"
remediation="Uninstall the bind9 package (apt-get remove bind9)"
ruleId="361a6cb4-f761-426f-a9d0-9e82ec0b3285">
<check distro="*" command="CheckServiceDisabled" service="bind9" />
</audit>
<audit
description="The bind package should be uninstalled."
msid="132"
cceid="CCE-4219-2"
severity="Warning"
impact="An attacker could use the DNS service to distribute false data to clients"
remediation="Uninstall the bind9 package (apt-get remove bind9)"
ruleId="696f915a-2733-42cd-9496-135718280bb9">
<check distro="*" command="CheckPackageNotInstalled" packagename="bind9" />
</audit>
<audit
description="The dovecot service should be disabled."
msid="137"
cceid="CCE-3847-1"
severity="Warning"
impact="The system could be used as an IMAP/POP3 server"
remediation="Uninstall the dovecot-core package (apt-get remove dovecot-core)"
ruleId="b0b6cf96-bd8a-40c5-b051-4615078a0bf0">
<check distro="*" command="CheckServiceDisabled" service="dovecot" />
</audit>
<audit
description="The dovecot package should be uninstalled."
msid="138"
cceid="CCE-4239-0"
severity="Warning"
impact="The system could be used as an IMAP/POP3 server"
remediation="Uninstall the dovecot-core package (apt-get remove dovecot-core)"
ruleId="9bd9ffdf-9a4b-4aff-816a-f365c7e7046b">
<check distro="*" command="CheckPackageNotInstalled" packagename="dovecot-core" />
</audit>
<audit
description = "Ensure no legacy `+` entries exist in /etc/passwd"
msid="156.1"
cceid="CCE-4114-5"
severity="Critical"
impact="An attacker could gain access by using the username '+' with no password"
remediation="Remove any entries in /etc/passwd that begin with '+:'"
ruleId="cc627f0c-3b72-6cc9-36b0-d2a3957431f4">
<check distro="*" command="CheckNoMatchingLines" regex="^\+:" path="/etc/passwd"/>
</audit>
<audit
description = "Ensure no legacy `+` entries exist in /etc/shadow"
msid="156.2"
cceid="CCE-14071-5"
severity="Critical"
impact="An attacker could gain access by using the username '+' with no password"
remediation="Remove any entries in /etc/shadow that begin with '+:'"
ruleId="1a102d2e-76db-5ccf-3580-ccda064e8df3">
<check distro="*" command="CheckNoMatchingLines" regex="^\+:" path="/etc/shadow"/>
</audit>
<audit
description = "Ensure no legacy `+` entries exist in /etc/group"
msid="156.3"
cceid="CCE-14675-3"
severity="Critical"
impact="An attacker could gain access by using the username '+' with no password"
remediation="Remove any entries in /etc/group that begin with '+:'"
ruleId="b487e075-15b4-0df1-550f-d8d5edd78eb4">
<check distro="*" command="CheckNoMatchingLines" regex="^\+:" path="/etc/group"/>
</audit>
<audit
description="Ensure password expiration is 365 days or less."
msid="157.1"
impact="Reducing the maximum age of a password also reduces an attacker's window of opportunity to leverage compromised credentials or successfully compromise credentials via an online brute force attack."
remediation="Set the `PASS_MAX_DAYS` parameter to no more than 365 in `/etc/login.defs` or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-max-days'"
ruleId="6ee7250d-142f-57db-25d0-c58207135059">
<check distro="*" command="CheckMatchingLines" path="/etc/login.defs" regex="^PASS_MAX_DAYS\s+[0-9]{1,2}$|[1-2][0-9]{1,2}$|3[0-5][0-9]$|3[0-6][0-5]$"/>
</audit>
<audit
description="Ensure password expiration warning days is 7 or more."
msid="157.2"
impact="Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
remediation="Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-warn-age'"
ruleId="b7ac978f-0963-a61f-58ae-5cf84ab76b5d">
<check distro="*" command="CheckMatchingLines" path="/etc/login.defs" regex="^PASS_WARN_AGE\s+(:?[7-9]|[1-9][0-9]+)$"/>
</audit>
<audit
description="Ensure password reuse is limited."
msid="157.5"
impact="Forcing users not to reuse their past 5 passwords makes it less likely that an attacker will be able to guess the password."
remediation="Ensure the 'remember' option is set to at least 5 in either /etc/pam.d/common-password or both /etc/pam.d/password_auth and /etc/pam.d/system_auth or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-history'"
ruleId="57bdeae2-863e-14fb-a463-d6ee64816b33">
<check distro="Ubuntu|Debian" command="CheckMatchingLines" path="/etc/pam.d/common-password" filter="^password\s+required\s+" regex="\s+remember=(:?[5-9]+|[1-9][0-9]+)"/>
<check distro="CentOS|RedHat|Oracle" command="CheckMatchingLines" path="/etc/pam.d/password-auth" filter="^password\s+required\s+" regex="\s+remember=(:?[5-9]+|[1-9][0-9]+)"/>
<check distro="CentOS|RedHat|Oracle" command="CheckMatchingLines" path="/etc/pam.d/system-auth" filter="^password\s+required\s+" regex="\s+remember=(:?[5-9]+|[1-9][0-9]+)"/>
<check distro="Mariner" command="CheckMatchingLines" path="/etc/pam.d/system-password" filter="^password\s+required\s+" regex="\s+remember=(:?[5-9]+|[1-9][0-9]+)"/>
</audit>
<audit
description="Ensure password hashing algorithm is SHA-512"
msid="157.11"
severity="Critical"
impact="The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
remediation="Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option:
```
password sufficient pam_unix.so sha512
```"
ruleId="01ec5346-882b-485d-8960-01dedd608792">
<check distro="*" command="CheckMatchingLinesInFiles" regex="sha512" filter="^password\s.*\s*pam_unix.so\s+\S+" path="/etc/pam.d/common-password|/etc/pam.d/system-auth|/etc/pam.d/system-password" />
<check distro="*" command="CheckMatchingLines" regex="^ENCRYPT_METHOD\s+SHA512" path="/etc/login.defs" />
</audit>
<audit
description="Ensure minimum days between password changes is 7 or more."
msid="157.12"
severity="Critical"
impact="By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
remediation="Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs`: `PASS_MIN_DAYS 7`. Modify user parameters for all users with a password set to match: `chage --mindays 7` or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-pass-min-days'"
ruleId="50272a84-672d-4c11-a67e-9d058adaf67a">
<check distro="*" command="CheckMatchingLines" regex="^\s*PASS_MIN_DAYS\s+(:?[7-9]|[1-9][0-9]+)\s*$" path="/etc/login.defs" />
</audit>
<audit
description="Ensure all users last password change date is in the past"
msid="157.14"
severity="Critical"
impact="If a users recorded password change date is in the future, then they could bypass any set password expiration."
remediation="Ensure inactive password lock is 30 days or less
Run the following command to set the default password inactivity period to 30 days:
```
# useradd -D -f 30
```
Modify user parameters for all users with a password set to match:
```
# chage --inactive 30
```"
ruleId="91fbaeac-f5d0-4ac9-aa1b-52215aef1ed8">
<check distro="*" command="CheckShadowDate" key="2" expect="before" value="now" path="/etc/shadow" />
</audit>
<audit
description="Ensure system accounts are non-login"
msid="157.15"
severity="Critical"
impact="It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to `/usr/sbin/nologin`. This prevents the account from potentially being used to run any commands."
remediation="Set the shell for any accounts returned by the audit script to `/sbin/nologin`"
ruleId="448b668a-738c-420b-b332-51ea49922933">
<check distro="*" command="CheckSystemAccounts" />
</audit>
<audit
description="Ensure default group for the root account is GID 0"
msid="157.16"
severity="Critical"
impact="Using GID 0 for the `_root_ `account helps prevent `_root_`-owned files from accidentally becoming accessible to non-privileged users."
remediation="Run the following command to set the `root` user default group to GID `0` :
```
# usermod -g 0 root
```"
ruleId="732fa92f-647e-47b8-b5a4-fdf00b02d9e2">
<check distro="*" command="CheckMatchingLines" regex="^root:x:[0-9]+:0" path="/etc/passwd" />
</audit>
<audit
description="Ensure root is the only UID 0 account"
msid="157.18"
severity="Critical"
impact="This access must be limited to only the default `root `account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism."
remediation="Remove any users other than `root` with UID `0` or assign them a new UID if appropriate."
ruleId="b5845ff3-42f4-4112-b2a2-5b827232a053">
<check distro="*" command="CheckRootUID" path="/etc/passwd"/>
</audit>
<audit
description="Remove unnecessary packages"
msid="158"
cceid="CCE-XXXXX-6"
severity="Informational"
impact=""
remediation="Run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-landscape-common"
ruleId="29a14c8c-c7fe-4168-accf-ec224141ba65">
<check distro="Ubuntu" command="CheckPackageNotInstalled" packagename="landscape-common" />
</audit>
<audit
description="Remove unnecessary accounts"
msid="159"
cceid="CCE-XXXXX-7"
severity="Informational"
impact="For compliance"
remediation="Remove the unnecessary accounts"
ruleId="627b7494-0e62-4093-9f77-db8d526d036b">
<check distro="Ubuntu" command="CheckNoMatchingLines" regex="^games:" path="/etc/passwd" />
</audit>
<audit
description="Ensure SNMP Server is not enabled"
msid="179"
severity="Warning"
impact="The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
remediation="Run one of the following commands to disable `snmpd`:
```
# chkconfig snmpd off
```
```
# systemctl disable snmpd
```
```
# update-rc.d snmpd disable
```"
ruleId="ca1aea32-3969-49ab-abfc-2c5796a9a8bb">
<check distro="*" command="CheckServiceDisabled" service="snmpd" />
</audit>
<audit
description="Ensure rsync service is not enabled"
msid="181"
severity="Critical"
impact="The `rsyncd` service presents a security risk as it uses unencrypted protocols for communication."
remediation="Run one of the following commands to disable `rsyncd` : `chkconfig rsyncd off`, `systemctl disable rsyncd`, `update-rc.d rsyncd disable` or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rsysnc'"
ruleId="63aba603-b1f8-40df-82c5-38915452ce23">
<check distro="*" command="CheckServiceDisabled" service="rsync" />
</audit>
<audit
description="Ensure NIS server is not enabled"
msid="182"
severity="Warning"
impact="The NIS service is an inherently insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS is generally replaced by protocols like Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and more secure services be used"
remediation="Run one of the following commands to disable `ypserv` :
```
# chkconfig ypserv off
```
```
# systemctl disable ypserv
```
```
# update-rc.d ypserv disable
```"
ruleId="b4ad3fdd-7b68-4b11-a3ed-84b37a68b995">
<check distro="*" command="CheckServiceDisabled" service="ypserv" />
</audit>
<audit
description="Ensure rsh client is not installed"
msid="183"
severity="Critical"
impact="These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh `package removes the clients for `rsh`, `rcp `and `rlogin`."
remediation="Uninstall `rsh` using the appropriate package manager or manual installation:
```
yum remove rsh
```
```
apt-get remove rsh
```
```
zypper remove rsh
```"
ruleId="6d441f31-f888-4f4f-b1da-7cfc26263e3f">
<check distro="*" command="CheckPackageNotInstalled" packagename="rsh" />
</audit>
<audit
description="Disable SMB V1 with Samba"
msid="185"
severity="Critical"
impact="SMB v1 has well-known, serious vulnerabilities and does not encrypt data in transit. If it must be used for business reasons, it is strongly recommended that additional steps be taken to mitigate the risks inherent to this protocol."
remediation="If Samba is not running, remove package, otherwise there should be a line in the [global] section of /etc/samba/smb.conf: min protocol = SMB2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-smb-min-version"
ruleId="7624efb0-3026-4c72-8920-48d5be78a50e">
<check
distro="*"
command="CheckMatchingLinesSection"
regex="\s*min protocol\s+=\s+SMB2"
expect="^\s*\[global\]"
path="/etc/samba/smb.conf"
key="^\s*\[.+\]">
<dependency type="ServiceStatus">samba|running</dependency>
</check>
</audit>
</audits>
<remediations>
<!--
Remediations are preformed in the order they appear in this file.
All actions in a remediation that match the distro are performed, and in the order they appear.
-->
<remediation id="remove-postfix" msids="121" description="Remove the postfix package">
<action distro="*" action="ActionRemovePackage" package="postfix"/>
</remediation>
<remediation id="remove-landscape-common" msids="158" description="Ensure landscape-common is not installed">
<action distro="Ubuntu" action="ActionRemovePackage" package="landscape-common"/>
</remediation>
<remediation id="fix-su-permissions" msids="21" description="Fix su permissions">
<action distro="!SLES" action="ActionScript">
<script>
<![CDATA[
sed -i 's/^#*\s*\(auth\s\+required\s\+pam_wheel.so\)\(\s\+use_uid\)\?$/\1 use_uid/g' /etc/pam.d/su
]]>
</script>
</action>
<action distro="SLES" action="ActionScript">
<!-- This change isn't sufficient on SLES -->
<script>
<![CDATA[
if [ -z "$(egrep '^\s*auth\s+required\s+pam_wheel.so\s+use_uid\s*$' /etc/pam.d/su)" ]; then
sed -i 's/\(\s*auth\s\+sufficient\s\+pam_rootok.so\s*\)$/\1\nauth required pam_wheel.so use_uid/g' /etc/pam.d/su
fi
]]>
</script>
</action>
</remediation>
<remediation id="fix-home-dir-permissions" msids="28" description="Fix home dir permissions">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
chmod 750 /home/*
if [ -e /var/lib/libuuid ]; then
chmod 750 /var/lib/libuuid
fi
chmod 750 /var/run/dbus
chmod 750 /var/run/dbus
# /var/run/sshd created by service at bootup
if [ -e /etc/init.d/ssh ]; then
sed -i 's/\(chmod\s\+\)[0-7]\{4\}/\10750/g' /etc/init.d/ssh
fi
if [ -e /etc/init.d/sshd ]; then
sed -i 's/\(chmod\s\+\)[0-7]\{4\}/\10750/g' /etc/init.d/sshd
fi
if [ -e /etc/init/ssh.conf ]; then
sed -i 's/\(mkdir\s\+-p\s\+-m\)[0-9]\{4\}/\10750/g' /etc/init/ssh.conf
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-default-user-umask" msids="29" description="Set default umask for all users to 077">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 29) Set default umask to 077
sed -i 's/^\(UMASK\s\+\)[0-9]\{3\}/\1077/g' /etc/login.defs
]]>
</script>
</action>
</remediation>
<remediation id="disable-zeroconf" msids="89" description="Disable Zeroconf networking">
<action distro="Centos|RedHat|Oracle" action="ActionEditConfig" name="NOZEROCONF" value="yes" value-regex="/w" sep="=" path="/etc/sysconfig/network"/>
</remediation>
<remediation id="enable-tcp-syncookies" msids="47" description="Enable tcp_syncookies">
<action distro="*" action="ActionEditConfig" name="net.ipv4.tcp_syncookies" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.tcp_syncookies=1
]]>
</script>
</action>
</remediation>
<remediation id="enable-rp-filter" msids="46.1,46.2" description="Enable reverse path filter">
<!-- TODO: Add ipv6 once that support gets added to the kernel. -->
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.rp_filter" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.rp_filter" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net.ipv4.conf 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.rp_filter')
do
sysctl -w $i=1
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-accept-redirects" msids="38.4" description="Disable accept-redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.default.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.all.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv[46]\.conf\.[^\.]+\.accept_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-secure-redirects" msids="38.5" description="Disable secure_redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.secure_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.secure_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.secure_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-send-redirects" msids="38.3" description="Disable send_redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.send_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.send_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.send_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-accept-source-route" msids="40.1,40.2,42.1,42.2" description="Disable accept_source_route">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.default.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.all.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv[46]\.conf\.[^\.]+\.accept_source_route')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="enable-log-martians" msids="45.1,45.2" description="Enable log_martians">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.log_martians" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.log_martians" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.log_martians')
do
sysctl -w $i=1
done
]]>
</script>
</action>
</remediation>
<remediation id="enable-icmp-ignore-bogus-error-responses" msids="43" description="Enable icmp_ignore_bogus_error_responses">
<action distro="*" action="ActionEditConfig" name="net.ipv4.icmp_ignore_bogus_error_responses" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
]]>
</script>
</action>
</remediation>
<remediation id="enable-icmp-echo-ignore-broadcasts" msids="44" description="Enable icmp_echo_ignore_broadcasts">
<action distro="*" action="ActionEditConfig" name="net.ipv4.icmp_echo_ignore_broadcasts" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
]]>
</script>
</action>
</remediation>
<remediation id="install-rsyslog" msids="61" description="Install rsyslog">
<action distro="*" action="ActionInstallPackage" package="rsyslog"/>
</remediation>
<remediation id="enable-rsyslog" msids="62" description="Enable rsyslog">
<action distro="!SLES=11" action="ActionEnableService" service="rsyslog"/>
<action distro="SLES=11" action="ActionEnableService" service="syslog"/>
<action distro="!SLES=11" action="ActionRestartService" service="rsyslog"/>
<action distro="SLES=11" action="ActionRestartService" service="syslog"/>
</remediation>
<remediation id="configure-syslog-file-create-mode" msids="63" description="Configure rsyslog $FileCreateMode">
<action distro="CentOS|RedHat|Oracle" action="ActionScript">
<script>
<![CDATA[
if [ -z "$(egrep '^\s*$FileCreateMode' /etc/rsyslog.conf 2>&1)" ]; then
sed -i 's/^\(.*GLOBAL DIRECTIVES.*\)$/\1\n\$FileCreateMode 0640/g' /etc/rsyslog.conf
fi
]]>
</script>
</action>
</remediation>
<remediation id="syslog-owner" msids="65" description="Ensure rsyslog files are owned by the syslog user">
<action distro="*" action="ActionEditConfig" name="$FileOwner" name-regex="\$FileOwner" value="syslog" value-regex="\w+" path="/etc/rsyslog.conf"/>
</remediation>
<remediation id="set-etc-shadow-perms" msids="11.1,11.2" description="Set permissions on /etc/shadow">
<action distro="*" action="ActionSetPerms" path="/etc/shadow" name="root:" value="0400"/>
<action distro="*" action="ActionSetPerms" path="/etc/shadow.old" name="root:" value="0400"/>
<action distro="*" action="ActionSetPerms" path="/etc/shadow-" name="root:" value="0400"/>
</remediation>
<remediation id="set-etc-gshadow-perms" msids="11.3,11.4" description="Set permissions on /etc/gshadow">
<action distro="*" action="ActionSetPerms" path="/etc/gshadow" name="root:" value="0400"/>
<action distro="*" action="ActionSetPerms" path="/etc/gshadow-" name="root:" value="0400"/>
</remediation>
<remediation id="set-etc-passwd-perms" msids="12.1,12.3" description="Set permissions on /etc/passwd">
<action distro="*" action="ActionSetPerms" path="/etc/passwd" name="root:root" value="0644"/>
<action distro="*" action="ActionSetPerms" path="/etc/passwd-" name="root:root" value="0600"/>
</remediation>
<remediation id="set-etc-group-perms" msids="12.2,12.4" description="Set permissions on /etc/group">
<action distro="*" action="ActionSetPerms" path="/etc/group" name="root:root" value="0644"/>
<action distro="*" action="ActionSetPerms" path="/etc/group-" name="root:root" value="0644"/>
</remediation>
<remediation id="fix-anacrontab-perms" msids="91" description="Fix anacrontab perms">
<action distro="*" action="ActionSetPerms" path="/etc/anacrontab" value="0600"/>
</remediation>
<remediation id="fix-cron-file-perms" msids="93,94,95,96,97" description="Fix cron file/folder permissions">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 93-97, 100-103) Fix Permissions on cron files/folders
chmod 700 /etc/cron.*
]]>
</script>
</action>
</remediation>
<remediation id="disable-avahi-daemon" msids="114" description="Disable avahi-daemon service">
<action distro="*" action="ActionDisableService" service="avahi-daemon"/>
</remediation>
<remediation id="disable-cups" msids="115" description="Disable cups service">
<action distro="*" action="ActionDisableService" service="cups"/>
</remediation>
<remediation id="disable-rpcgssd" msids="126" description="Disable rpcgssd service">
<action distro="*" action="ActionDisableService" service="rpcgssd"/>
</remediation>
<remediation id="disable-rpcidmapd" msids="127" description="Disable rpcidmapd service">
<action distro="*" action="ActionDisableService" service="rpcidmapd"/>
</remediation>
<remediation id="disable-rsync" msids="181" description="Disable rsync service">
<action distro="*" action="ActionDisableService" service="rsyncd"/>
</remediation>
<remediation id="disable-rpcbind" msids="129.1" description="Disable rpcbind service">
<action distro="SLES=11" action="ActionDisableService" service="nfs"/>
<action distro="*" action="ActionDisableService" service="rpcbind"/>
<action distro="CentOS>=7|RedHat>=7|SLES>11" action="ActionDisableService" service="rpcbind.socket"/>
</remediation>
<remediation id="disable-nfs" msids="129.2" description="Disable NFS service">
<action distro="*" action="ActionDisableService" service="nfs-server"/>
</remediation>
<remediation id="disable-dccp" msids="54" description="Disable DCCP Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-dccp.conf <<EOF
install dccp /bin/true
EOF
chown root.root /etc/modprobe.d/disable-dccp.conf
chmod 644 /etc/modprobe.d/disable-dccp.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-sctp" msids="55" description="Disable SCTP Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-sctp.conf <<EOF
install sctp /bin/true
EOF
chown root.root /etc/modprobe.d/disable-sctp.conf
chmod 644 /etc/modprobe.d/disable-sctp.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-rds" msids="56" description="Disable RDS Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-rds.conf <<EOF
install rds /bin/true
EOF
chown root.root /etc/modprobe.d/disable-rds.conf
chmod 644 /etc/modprobe.d/disable-rds.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-tipc" msids="57" description="Disable tipc Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-tipc.conf <<EOF
install tipc /bin/true
EOF
chown root.root /etc/modprobe.d/disable-tipc.conf
chmod 644 /etc/modprobe.d/disable-tipc.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-cramfs" msids="6.1" description="Disable cramfs Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-cramfs.conf <<EOF
install cramfs /bin/true
EOF
chown root.root /etc/modprobe.d/disable-cramfs.conf
chmod 644 /etc/modprobe.d/disable-cramfs.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-freevxfs" msids="6.2" description="Disable freevxfs Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-freevxfs.conf <<EOF
install freevxfs /bin/true
EOF
chown root.root /etc/modprobe.d/disable-freevxfs.conf
chmod 644 /etc/modprobe.d/disable-freevxfs.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-hfs" msids="6.3" description="Disable hfs Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-hfs.conf <<EOF
install hfs /bin/true
EOF
chown root.root /etc/modprobe.d/disable-hfs.conf
chmod 644 /etc/modprobe.d/disable-hfs.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-hfsplus" msids="6.4" description="Disable hfsplus Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-hfsplus.conf <<EOF
install hfsplus /bin/true
EOF
chown root.root /etc/modprobe.d/disable-hfsplus.conf
chmod 644 /etc/modprobe.d/disable-hfsplus.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-jffs2" msids="6.5" description="Disable jffs2 Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-jffs2.conf <<EOF
install jffs2 /bin/true
EOF
chown root.root /etc/modprobe.d/disable-jffs2.conf
chmod 644 /etc/modprobe.d/disable-jffs2.conf
]]>
</script>
</action>
</remediation>
<remediation id="disable-usb-storage" msids="1.1.21.1" description="Disable usb-storage Kernel Module">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
cat > /etc/modprobe.d/disable-usb-storage.conf <<EOF
install usb-storage /bin/true
EOF
chown root.root /etc/modprobe.d/disable-usb-storage.conf
chmod 644 /etc/modprobe.d/disable-usb-storage.conf
]]>
</script>
</action>
</remediation>
<remediation id="configure-password-policy-max-days" msids="157.1" description="Configure PASS_MAX_DAYS in pam ">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sed -i 's/^#*\s*\(PASS_MAX_DAYS\s\+\)[0-9]\+/\170/g' /etc/login.defs
]]>
</script>
</action>
</remediation>
<remediation id="configure-password-policy-warn-age" msids="157.2" description="Configure PASS_WARN_AGE in pam ">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sed -i 's/^#*\s*\(PASS_WARN_AGE\s\+\)[0-9]\+/\115/g' /etc/login.defs
]]>
</script>
</action>
</remediation>
<remediation id="configure-password-policy-history" msids="157.5" description="Configure password history in pam ">
<action distro="Ubuntu" action="ActionScript">
<script>
<![CDATA[
if [ -z "$(egrep '^\s*password\s+.+pam_unix.so.+remember=[0-9]' /etc/pam.d/common-password)" ]; then
sed -i 's/^#*\s*\(password\s\+.\+pam_unix.so\s\+\)/\1remember=7 /g' /etc/pam.d/common-password
else
sed -i 's/^#*\s*\(password\s\+.\+pam_unix.so.\+\)remember=[0-9]/\1remember=7/g' /etc/pam.d/common-password
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-pass-min-days" msids="157.12" description="Set the minimum days between password changes to 7">
<action distro="*" action="ActionEditConfig" name="PASS_MIN_DAYS" value="7" value-regex="[0-9]+" path="/etc/login.defs"/>
</remediation>
<remediation id="remove-games-user" msids="159" description="Remove the 'games' user">
<action distro="Ubuntu" action="ActionScript">
<script>
<![CDATA[
if id games &>/dev/null; then
userdel -r -f games
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-smb-min-version" msids="185" description="Disable smb v1">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# Require SMB v2
if [ -n "$(egrep '^\s*min\sprotocol\s+=\s+SMB1' /etc/samba/smb.conf)" ]; then
sed -i 's/\(^ *min *protocol *= *\)SMB1/\1SMB2/i' /etc/samba/smb.conf
elif [ -z "$(egrep '^\s*min\sprotocol\s+=\s+SMB2' /etc/samba/smb.conf)" ]; then
sed -i 's/\(^\[global\].*$\)/\1\nmin protocol = SMB2/i' /etc/samba/smb.conf
fi
]]>
</script>
</action>
</remediation>
</remediations>
</baseline>