About profile

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Compliance and Scoring

Danger alert: The target system did not satisfy the conditions of 194 rules!

Please review rule results and consider applying remediation.

Rule results

38 Pass

194 Fail

4 Other

Severity of failed rules

4 Unknown

14 Low

170 Medium

6 High

39.60 of 100.00

Evaluation Characteristics

Evaluation target:
ip-10-0-96-160.us-west-2.compute.internal
Profile ID:
xccdf_org.ssgproject.content_profile_moderate
Scanner:
OpenSCAP 1.3.10
Started at:
2025-04-03T20:55:24+00:00
Finished at:
2025-04-03T20:56:28+00:00

Rule Overview

Rule Severity Result

high

pass

Rule ID:

xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero

Result:

pass

Time:

2025-04-03T20:55:26+00:00

Description:

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale:

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Severity:

high

Identifiers:

CCE-82699-0

References:

cis-csc:	1, 12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
cui:	3.1.1, 3.1.5
disa:	CCI-000366
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-6(5), IA-2, IA-4(b)
nist-csf:	PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-8.5
pcidss4:	8.2, 8.2.1

OVAL definition:

Definition ID:

oval:ssg-accounts_no_uid_except_zero:def:1

Title:

Verify Only Root Has UID 0

Description:

Only the root account should be assigned a user id of 0.

Version:

OVAL graph of OVAL definition: oval:ssg-accounts_no_uid_except_zero:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Severity:

medium

Identifiers:

CCE-82556-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-chmod_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_chmod:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - chmod

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_chmod:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82557-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-chown_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_chown:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - chown

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_chown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82558-8

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchmod_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fchmod:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fchmod

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fchmod:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82559-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchmodat_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fchmodat:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fchmodat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82560-4

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchown_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fchown:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fchown

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fchown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82561-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchownat_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fchownat:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fchownat

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fchownat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82562-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fremovexattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fremovexattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fremovexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82563-8

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fsetxattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_fsetxattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_fsetxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82564-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lchown_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_lchown:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - lchown

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_lchown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82565-3

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lremovexattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_lremovexattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_lremovexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82566-1

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lsetxattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_lsetxattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_lsetxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82567-9

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-removexattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_removexattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - removexattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_removexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Rationale:

Severity:

medium

Identifiers:

CCE-82568-7

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4
stigid:	CNTR-OS-000160, CNTR-OS-000930, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
        mode: 0644
        path: /etc/audit/rules.d/75-setxattr_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_dac_modification_setxattr:def:1

Title:

Record Events that Modify the System's Discretionary Access Controls - setxattr

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_dac_modification_setxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82700-6

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_group_open_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_group_open:def:1

Title:

Record Events that Modify User/Group Information via open syscall - /etc/group

Description:

Audit rules about the write events to /etc/group

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_group_open:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

The audit system should collect write events to /etc/group file for all group and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82702-2

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_group_open_by_handle_at_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1

Title:

Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

Description:

Audit rules about the write events to /etc/group

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82701-4

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_group_openat_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_group_openat:def:1

Title:

Record Events that Modify User/Group Information via openat syscall - /etc/group

Description:

Audit rules about the write events to /etc/group

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_group_openat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

The audit system should collect write events to /etc/gshadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82703-0

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_gshadow_open_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_gshadow_open:def:1

Title:

Record Events that Modify User/Group Information via open syscall - /etc/gshadow

Description:

Audit rules about the write events to /etc/gshadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_gshadow_open:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82705-5

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_gshadow_open_by_handle_at_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1

Title:

Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow

Description:

Audit rules about the write events to /etc/gshadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82704-8

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_gshadow_openat_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_gshadow_openat:def:1

Title:

Record Events that Modify User/Group Information via openat syscall - /etc/gshadow

Description:

Audit rules about the write events to /etc/gshadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_gshadow_openat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82706-3

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_passwd_open_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_passwd_open:def:1

Title:

Record Events that Modify User/Group Information via open syscall - /etc/passwd

Description:

Audit rules about the write events to /etc/passwd

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_passwd_open:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82708-9

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_passwd_open_by_handle_at_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1

Title:

Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd

Description:

Audit rules about the write events to /etc/passwd

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Rationale:

Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82707-1

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_passwd_openat_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_passwd_openat:def:1

Title:

Record Events that Modify User/Group Information via openat syscall - /etc/passwd

Description:

Audit rules about the write events to /etc/passwd

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_passwd_openat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

The audit system should collect write events to /etc/shadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82709-7

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_shadow_open_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_shadow_open:def:1

Title:

Record Events that Modify User/Group Information via open syscall - /etc/shadow

Description:

Audit rules about the write events to /etc/shadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_shadow_open:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82711-3

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_shadow_open_by_handle_at_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1

Title:

Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow

Description:

Audit rules about the write events to /etc/shadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Rationale:

Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82710-5

References:

nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
        mode: 0644
        path: /etc/audit/rules.d/75-etc_shadow_openat_path_syscall.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_etc_shadow_openat:def:1

Title:

Record Events that Modify User/Group Information via openat syscall - /etc/shadow

Description:

Audit rules about the write events to /etc/shadow

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_etc_shadow_openat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Severity:

medium

Identifiers:

CCE-82569-5

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chcon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chcon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_chcon_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_chcon:def:1

Title:

Record Any Attempts to Run chcon

Description:

Audit rules about the information on the use of chcon is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_chcon:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82570-3

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/restorecon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/restorecon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_restorecon_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_restorecon:def:1

Title:

Record Any Attempts to Run restorecon

Description:

Audit rules about the information on the use of restorecon is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_restorecon:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82571-1

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, CNTR-OS-000940, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/semanage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/semanage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_semanage_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_semanage:def:1

Title:

Record Any Attempts to Run semanage

Description:

Audit rules about the information on the use of semanage is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_semanage:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82572-9

References:

disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, CNTR-OS-000940, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/setfiles%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/setfiles%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_setfiles_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_setfiles:def:1

Title:

Record Any Attempts to Run setfiles

Description:

Audit rules about the information on the use of setfiles is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_setfiles:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82573-7

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, CNTR-OS-000940, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/setsebool%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/setsebool%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_setsebool_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_setsebool:def:1

Title:

Record Any Attempts to Run setsebool

Description:

Audit rules about the information on the use of setsebool is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_setsebool:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82574-5

References:

disa:	CCI-000172
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/seunshare%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/seunshare%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_seunshare_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_execution_seunshare:def:1

Title:

Record Any Attempts to Run seunshare

Description:

Audit rules about the information on the use of seunshare is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_execution_seunshare:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

Rationale:

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Severity:

medium

Identifiers:

CCE-82575-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-rename-file-deletion-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_file_deletion_events_rename:def:1

Title:

Ensure auditd Collects File Deletion Events by User - rename

Description:

The deletion of files should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_file_deletion_events_rename:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

Rationale:

Severity:

medium

Identifiers:

CCE-82576-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-renameat-file-deletion-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_file_deletion_events_renameat:def:1

Title:

Ensure auditd Collects File Deletion Events by User - renameat

Description:

The deletion of files should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_file_deletion_events_renameat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

Rationale:

Severity:

medium

Identifiers:

CCE-82577-8

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-rmdir-file-deletion-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_file_deletion_events_rmdir:def:1

Title:

Ensure auditd Collects File Deletion Events by User - rmdir

Description:

The deletion of files should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_file_deletion_events_rmdir:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

Rationale:

Severity:

medium

Identifiers:

CCE-82578-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-unlink-file-deletion-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_file_deletion_events_unlink:def:1

Title:

Ensure auditd Collects File Deletion Events by User - unlink

Description:

The deletion of files should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_file_deletion_events_unlink:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

Rationale:

Severity:

medium

Identifiers:

CCE-82579-4

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-unlinkat-file-deletion-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1

Title:

Ensure auditd Collects File Deletion Events by User - unlinkat

Description:

The deletion of files should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_immutable

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:

-e 2

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:

-e 2

With this setting, a reboot will be required to change any audit rules.

Rationale:

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.

Severity:

medium

Identifiers:

CCE-82668-5

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.3.1, 3.4.3
disa:	CCI-000162, CCI-000163, CCI-000164
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	AC-6(9), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
pcidss:	Req-10.5.2
pcidss4:	10.3, 10.3.2
stigid:	CNTR-OS-000310, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-e%202%0A
        mode: 0600
        path: /etc/audit/rules.d/90-immutable.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_immutable:def:1

Title:

Make the auditd Configuration Immutable

Description:

Force a reboot to change audit rules is enabled

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_immutable:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S delete_module -F key=modules

Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale:

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Severity:

medium

Identifiers:

CCE-82580-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
pcidss:	Req-10.2.7
stigid:	CNTR-OS-000930, CNTR-OS-000980, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
        mode: 0600
        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_kernel_module_loading_delete:def:1

Title:

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Description:

The audit rules should be configured to log information about kernel module loading and unloading.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_kernel_module_loading_delete:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S finit_module -F key=modules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S finit_module -F key=modules

Rationale:

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Severity:

medium

Identifiers:

CCE-82581-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
pcidss:	Req-10.2.7
stigid:	CNTR-OS-000930, CNTR-OS-000980, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
        mode: 0600
        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_kernel_module_loading_finit:def:1

Title:

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

Description:

The audit rules should be configured to log information about kernel module loading and unloading.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_kernel_module_loading_finit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module -F key=modules

Rationale:

The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Severity:

medium

Identifiers:

CCE-82582-8

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
pcidss:	Req-10.2.7
stigid:	CNTR-OS-000930, CNTR-OS-000980, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
        mode: 0600
        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_kernel_module_loading_init:def:1

Title:

Ensure auditd Collects Information on Kernel Module Loading - init_module

Description:

The audit rules should be configured to log information about kernel module loading and unloading.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_kernel_module_loading_init:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-w /var/run/faillock -p wa -k logins

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /var/run/faillock -p wa -k logins

Rationale:

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Severity:

medium

Identifiers:

CCE-82583-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
pcidss:	Req-10.2.3
pcidss4:	10.2, 10.2.1, 10.2.1.3
stigid:	CNTR-OS-000970, CNTR-OS-001000, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20{{ %7B%7B.var_accounts_passwords_pam_faillock_dir%7D%7D }}%20-p%20wa%20-k%20logins%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_login_events_faillock.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_login_events_faillock:def:1

Title:

Record Attempts to Alter Logon and Logout Events - faillock

Description:

Check if actions on path specified in the 'var_accounts_passwords_pam_faillock_dir' variable are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_login_events_faillock:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-w /var/log/lastlog -p wa -k logins

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /var/log/lastlog -p wa -k logins

Rationale:

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Severity:

medium

Identifiers:

CCE-82584-4

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
pcidss:	Req-10.2.3
pcidss4:	10.2, 10.2.1, 10.2.1.3
stigid:	CNTR-OS-000930, CNTR-OS-000970, CNTR-OS-001000, SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/var/log/lastlog%20-p%20wa%20-k%20logins%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_login_events_lastlog.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_login_events_lastlog:def:1

Title:

Record Attempts to Alter Logon and Logout Events - lastlog

Description:

Check if actions on '/var/log/lastlog' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_login_events_lastlog:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-w /var/log/tallylog -p wa -k logins

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /var/log/tallylog -p wa -k logins

Rationale:

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Severity:

medium

Identifiers:

CCE-82585-1

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
pcidss:	Req-10.2.3
pcidss4:	10.2, 10.2.1, 10.2.1.3
stigid:	CNTR-OS-000970, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/var/log/tallylog%20-p%20wa%20-k%20logins%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_login_events_tallylog.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_login_events_tallylog:def:1

Title:

Record Attempts to Alter Logon and Logout Events - tallylog

Description:

Check if actions on '/var/log/tallylog' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_login_events_tallylog:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_mac_modification

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

-w /etc/selinux/ -p wa -k MAC-policy

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/selinux/ -p wa -k MAC-policy

Rationale:

The system's mandatory access policy (SELinux or Apparmor) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Severity:

medium

Identifiers:

CCE-82586-9

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.8
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_mac_modification:def:1

Title:

Record Events that Modify the System's Mandatory Access Controls

Description:

Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_mac_modification:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_media_export

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

Rationale:

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Severity:

medium

Identifiers:

CCE-82587-7

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.7
pcidss4:	10.2, 10.2.1, 10.2.1.7
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dexport%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dexport%0A
        mode: 0644
        path: /etc/audit/rules.d/75-mount_dac_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_media_export:def:1

Title:

Ensure auditd Collects Information on Exporting to Media (successful)

Description:

The changing of file permissions and attributes should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_media_export:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

Rationale:

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Severity:

medium

Identifiers:

CCE-82588-5

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.5.5
pcidss4:	10.3, 10.3.4

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-w%20/etc/issue%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/issue.net%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/hosts%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/sysconfig/network%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A
        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_networkconfig_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_networkconfig_modification:def:1

Title:

Record Events that Modify the System's Network Environment

Description:

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_networkconfig_modification:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82590-1

References:

disa:	CCI-000172
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/at%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/at%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_at_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_at:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - at

Description:

Audit rules about the information on the use of at is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82591-9

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000960, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_chage_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_chage:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Description:

Audit rules about the information on the use of chage is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_chage:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82592-7

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chsh%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chsh%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_chsh_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_chsh:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Description:

Audit rules about the information on the use of chsh is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_chsh:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82593-5

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/crontab%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/crontab%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_crontab_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_crontab:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Description:

Audit rules about the information on the use of crontab is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_crontab:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82594-3

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/gpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/gpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_gpasswd_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_gpasswd:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Description:

Audit rules about the information on the use of gpasswd is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_gpasswd:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82595-0

References:

disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, SRG-APP-000029-CTR-000085

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_mount_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_mount:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - mount

Description:

Audit rules about the information on the use of mount is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_mount:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82596-8

References:

disa:	CCI-000172
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newgidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newgidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_newgidmap_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_newgidmap:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap

Description:

Audit rules about the information on the use of newgidmap is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_newgidmap:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82597-6

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newgrp%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newgrp%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_newgrp_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_newgrp:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Description:

Audit rules about the information on the use of newgrp is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_newgrp:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82598-4

References:

disa:	CCI-000172
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newuidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newuidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_newuidmap_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_newuidmap:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap

Description:

Audit rules about the information on the use of newuidmap is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_newuidmap:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82599-2

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/pam_timestamp_check%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/pam_timestamp_check%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_pam_timestamp_check_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Description:

Audit rules about the information on the use of pam_timestamp_check is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82600-8

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_passwd_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_passwd:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Description:

Audit rules about the information on the use of passwd is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_passwd:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82601-6

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/postdrop%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/postdrop%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_postdrop_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_postdrop:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

Description:

Audit rules about the information on the use of postdrop is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_postdrop:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82602-4

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/postqueue%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/postqueue%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_postqueue_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_postqueue:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

Description:

Audit rules about the information on the use of postqueue is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_postqueue:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82603-2

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000135, CCI-000172, CCI-002884
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000950, CNTR-OS-000960, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/libexec/pt_chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/libexec/pt_chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_libexec_pt_chown_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_pt_chown:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown

Description:

Audit rules about the information on the use of pt_chown is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_pt_chown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82604-0

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/libexec/openssh/ssh-keysign%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/libexec/openssh/ssh-keysign%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_libexec_openssh_ssh-keysign_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Description:

Audit rules about the information on the use of ssh_keysign is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82605-7

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
stigid:	CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/su%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/su%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_su_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_su:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - su

Description:

Audit rules about the information on the use of su is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_su:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82606-5

References:

anssi:	R33
cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
stigid:	CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/sudo%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/sudo%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_sudo_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_sudo:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Description:

Audit rules about the information on the use of sudo is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_sudo:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82607-3

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/sudoedit%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/sudoedit%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_sudoedit_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_sudoedit:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Description:

Audit rules about the information on the use of sudoedit is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_sudoedit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82608-1

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, SRG-APP-000029-CTR-000085

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/umount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/umount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_umount_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_umount:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - umount

Description:

Audit rules about the information on the use of umount is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_umount:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82609-9

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5
nist:	AC-2(4), AC-6(9), AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AU-2(d), AU-3, AU-3.1, CM-6(a), MA-4(1)(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000080, CNTR-OS-000930, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_unix_chkpwd_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Description:

Audit rules about the information on the use of unix_chkpwd is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82610-7

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
stigid:	CNTR-OS-000930, SRG-APP-000495-CTR-001235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/userhelper%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/userhelper%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_userhelper_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_userhelper:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

Description:

Audit rules about the information on the use of userhelper is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_userhelper:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged

Rationale:

Severity:

medium

Identifiers:

CCE-82611-5

References:

disa:	CCI-000172
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/usernetctl%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/usernetctl%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_usernetctl_execution.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_privileged_commands_usernetctl:def:1

Title:

Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl

Description:

Audit rules about the information on the use of usernetctl is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_privileged_commands_usernetctl:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_session_events

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

Rationale:

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Severity:

medium

Identifiers:

CCE-82612-3

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
ism:	0582, 0584, 0586, 05885, 0846, 0957
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.2.3
pcidss4:	10.2, 10.2.1, 10.2.1.3
stigid:	CNTR-OS-000990, SRG-APP-000505-CTR-001285

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-audit-session-events.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_session_events:def:1

Title:

Record Attempts to Alter Process and Session Initiation Information

Description:

Audit rules should capture information about session initiation.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_session_events:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/sudoers -p wa -k actions

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/sudoers -p wa -k actions

-w /etc/sudoers.d/ -p wa -k actions

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/sudoers.d/ -p wa -k actions

Rationale:

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Severity:

medium

Identifiers:

CCE-82613-1

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nist:	AC-2(7)(b), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.2, Req-10.2.5.b
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000050, CNTR-OS-000060, CNTR-OS-000070, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_sysadmin_actions:def:1

Title:

Ensure auditd Collects System Administrator Actions

Description:

Audit actions taken by system administrators on the system.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_sysadmin_actions:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale:

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Severity:

medium

Identifiers:

CCE-82614-9

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000169, CCI-001487
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.4.2.b
pcidss4:	10.6, 10.6.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_time_adjtimex:def:1

Title:

Record attempts to alter time through adjtimex

Description:

Record attempts to alter time through adjtimex.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_time_adjtimex:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale:

Severity:

medium

Identifiers:

CCE-82615-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000169, CCI-001487
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.4.2.b
pcidss4:	10.6, 10.6.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_time_clock_settime:def:1

Title:

Record Attempts to Alter Time Through clock_settime

Description:

Record attempts to alter time through clock_settime.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_time_clock_settime:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale:

Severity:

medium

Identifiers:

CCE-82616-4

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000169, CCI-001487
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.4.2.b
pcidss4:	10.6, 10.6.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_time_settimeofday:def:1

Title:

Record attempts to alter time through settimeofday

Description:

Record attempts to alter time through settimeofday.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_time_settimeofday:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_time_stime

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-a always,exit -F arch=b32 -S stime -F key=audit_time_rules

Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:

-a always,exit -F arch=b32 -S stime -F key=audit_time_rules

Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale:

Severity:

medium

Identifiers:

CCE-82617-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000169, CCI-001487
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.4.2.b
pcidss4:	10.6, 10.6.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-stime.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_time_stime:def:1

Title:

Record Attempts to Alter Time Through stime

Description:

Record attempts to alter time through stime. Note that on 64-bit architectures the stime system call is not defined in the audit system calls lookup table.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_time_stime:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch_and_not_s390x_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

-w /etc/localtime -p wa -k audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/localtime -p wa -k audit_time_rules

Rationale:

Severity:

medium

Identifiers:

CCE-82618-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000169, CCI-001487
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.4.2.b
pcidss4:	10.6, 10.6.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_time_watch_localtime.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_time_watch_localtime:def:1

Title:

Record Attempts to Alter the localtime File

Description:

Check if actions on '/etc/localtime' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_time_watch_localtime:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82619-8

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-chmod_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1

Title:

Record Unsuccessful Permission Changes to Files - chmod

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82620-6

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-chown_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1

Title:

Record Unsuccessful Ownership Changes to Files - chown

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82621-4

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1

Title:

Record Unsuccessful Access Attempts to Files - creat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82622-2

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchmod_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1

Title:

Record Unsuccessful Permission Changes to Files - fchmod

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82624-8

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchmodat_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1

Title:

Record Unsuccessful Permission Changes to Files - fchmodat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82625-5

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchown_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1

Title:

Record Unsuccessful Ownership Changes to Files - fchown

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82626-3

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fchownat_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1

Title:

Record Unsuccessful Ownership Changes to Files - fchownat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82627-1

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fremovexattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - fremovexattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82628-9

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-fsetxattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - fsetxattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82629-7

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1

Title:

Record Unsuccessful Access Attempts to Files - ftruncate

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82630-5

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lchown_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1

Title:

Record Unsuccessful Ownership Changes to Files - lchown

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82631-3

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lremovexattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - lremovexattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82632-1

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-lsetxattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - lsetxattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82633-9

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1

Title:

Record Unsuccessful Access Attempts to Files - open

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82640-4

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1

Title:

Record Unsuccessful Access Attempts to Files - open_by_handle_at

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82641-2

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1

Title:

Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT

Description:

Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82642-0

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1

Title:

Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE

Description:

Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

Rationale:

The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule.

Severity:

medium

Identifiers:

CCE-82643-8

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1

Title:

Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly

Description:

Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82644-6

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1

Title:

Record Unsuccessful Creation Attempts to Files - open O_CREAT

Description:

Audit rules about the information on the unsuccessful use of open O_CREAT is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82645-3

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1

Title:

Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE

Description:

Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

Rationale:

Severity:

medium

Identifiers:

CCE-82646-1

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1

Title:

Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly

Description:

Audit rules about the information on the unsuccessful use of open is configured in the proper rule order.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82634-7

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1

Title:

Record Unsuccessful Access Attempts to Files - openat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82635-4

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1

Title:

Record Unsuccessful Creation Attempts to Files - openat O_CREAT

Description:

Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82636-2

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1

Title:

Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE

Description:

Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

Rationale:

Severity:

medium

Identifiers:

CCE-82639-6

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
pcidss:	Req-10.2.1, Req-10.2.4

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1

Title:

Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly

Description:

Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82647-9

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-removexattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - removexattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

Rationale:

Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82648-7

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-rename_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1

Title:

Record Unsuccessful Delete Attempts to Files - rename

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

Rationale:

Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82649-5

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-renameat_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1

Title:

Record Unsuccessful Delete Attempts to Files - renameat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Rationale:

Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82650-3

References:

disa:	CCI-000172
nist:	AU-12(c), AU-2(d), CM-6(a)

Warnings:

General warning

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-setxattr_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1

Title:

Record Unsuccessful Permission Changes to Files - setxattr

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Rationale:

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82651-1

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000495-CTR-001235

Warnings:

General warning

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1

Title:

Record Unsuccessful Access Attempts to Files - truncate

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

Rationale:

Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82652-9

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-unlink_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1

Title:

Record Unsuccessful Delete Attempts to Files - unlink

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

CPE platform required by rule:

#not_aarch64_arch

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat

Result:

fail

Time:

2025-04-03T20:56:27+00:00

Description:

-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

Rationale:

Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Severity:

medium

Identifiers:

CCE-82653-7

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000172, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist:	AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
pcidss:	Req-10.2.1, Req-10.2.4
stigid:	SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270

Warnings:

General warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
        mode: 0644
        path: /etc/audit/rules.d/75-unlinkat_audit_rules_unsuccessful_file_modification.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1

Title:

Record Unsuccessful Delete Attempts to Files - unlinkat

Description:

Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/group -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/group -p wa -k audit_rules_usergroup_modification

Rationale:

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Severity:

medium

Identifiers:

CCE-82654-5

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000015, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-002130, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.5
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_group.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_usergroup_modification_group:def:1

Title:

Record Events that Modify User/Group Information - /etc/group

Description:

Check if actions on '/etc/group' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_usergroup_modification_group:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Rationale:

Severity:

medium

Identifiers:

CCE-82655-2

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000015, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-002130, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.5
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_gshadow.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_usergroup_modification_gshadow:def:1

Title:

Record Events that Modify User/Group Information - /etc/gshadow

Description:

Check if actions on '/etc/gshadow' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_usergroup_modification_gshadow:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Rationale:

Severity:

medium

Identifiers:

CCE-82656-0

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000015, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-002130, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.5
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000970, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_opasswd.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_usergroup_modification_opasswd:def:1

Title:

Record Events that Modify User/Group Information - /etc/security/opasswd

Description:

Check if actions on '/etc/security/opasswd' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_usergroup_modification_opasswd:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Rationale:

Severity:

medium

Identifiers:

CCE-82657-8

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000015, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-002130, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.5
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification_passwd%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_passwd.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_usergroup_modification_passwd:def:1

Title:

Record Events that Modify User/Group Information - /etc/passwd

Description:

Check if actions on '/etc/passwd' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_usergroup_modification_passwd:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Rationale:

Severity:

medium

Identifiers:

CCE-82658-6

References:

anssi:	R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.1.7
disa:	CCI-000015, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-002130, CCI-002884
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nist:	AC-2(4), AC-6(9), AU-12(c), AU-2(d), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221
pcidss:	Req-10.2.5
pcidss4:	10.2, 10.2.1, 10.2.1.5
stigid:	CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:

          source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A

        mode: 0644
        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_shadow.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-audit_rules_usergroup_modification_shadow:def:1

Title:

Record Events that Modify User/Group Information - /etc/shadow

Description:

Check if actions on '/etc/shadow' are configured to be audited

Version:

OVAL graph of OVAL definition: oval:ssg-audit_rules_usergroup_modification_shadow:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

disk_error_action = ACTION

Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

Rationale:

Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

Severity:

medium

Identifiers:

CCE-82679-2

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000140
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000047-GPOS-00023
stigid:	CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_disk_error_action:def:1

Title:

Configure auditd Disk Error Action on Disk Error

Description:

disk_error_action setting in /etc/audit/auditd.conf is set to a certain action

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_disk_error_action:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

disk_full_action = ACTION

Rationale:

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Severity:

medium

Identifiers:

CCE-82676-8

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000140
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000047-GPOS-00023

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_disk_full_action:def:1

Title:

Configure auditd Disk Full Action when Disk Space Is Full

Description:

disk_full_action setting in /etc/audit/auditd.conf is set to a certain action

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_disk_full_action:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

admin_space_left_action = ACTION

Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

Rationale:

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Severity:

medium

Identifiers:

CCE-82677-6

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui:	3.3.1
disa:	CCI-001855
hipaa:	164.312(a)(2)(ii)
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000343-GPOS-00134
pcidss:	Req-10.7
pcidss4:	10.5, 10.5.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_admin_space_left_action:def:1

Title:

Configure auditd admin_space_left Action on Low Disk Space

Description:

admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_admin_space_left_action:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_flush

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk:

flush = incremental_async

Rationale:

Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.

Severity:

medium

Identifiers:

CCE-82508-3

References:

cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.3.1
disa:	CCI-001576
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-2009:	4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cip:	CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nist:	AU-11, CM-6(a)
nist-csf:	DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srg:	SRG-OS-000480-GPOS-00227
ospp:	FAU_GEN.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_flush:def:1

Title:

Configure auditd flush priority

Description:

The setting for flush in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_flush:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:

max_log_file = STOREMB

Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

Rationale:

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Severity:

medium

Identifiers:

CCE-82694-1

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7
nerc-cip:	CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nist:	AU-11, CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidss:	Req-10.7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_max_log_file:def:1

Title:

Configure auditd Max Log File Size

Description:

max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_max_log_file:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:

max_log_file_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

ignore
syslog
suspend
rotate
keep_logs

Set the ACTION to rotate. The setting is case-insensitive.

Rationale:

Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

Severity:

medium

Identifiers:

CCE-82680-0

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000140
hipaa:	164.312(a)(2)(ii)
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000047-GPOS-00023
pcidss:	Req-10.7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_max_log_file_action:def:1

Title:

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Description:

max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_max_log_file_action:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5:

num_logs = NUMLOGS

Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

Rationale:

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Severity:

medium

Identifiers:

CCE-82693-3

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui:	3.3.1
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7
nerc-cip:	CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nist:	AU-11, CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidss:	Req-10.7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_num_logs:def:1

Title:

Configure auditd Number of Logs Retained

Description:

num_logs setting in /etc/audit/auditd.conf is set to at least a certain value

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_num_logs:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

space_left = SIZE_in_MB

Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.

Rationale:

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Severity:

medium

Identifiers:

CCE-82681-8

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-001855
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000343-GPOS-00134
pcidss:	Req-10.7
pcidss4:	10.5, 10.5.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_space_left:def:1

Title:

Configure auditd space_left on Low Disk Space

Description:

space_left setting in /etc/audit/auditd.conf is set to at least a certain value

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_space_left:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

syslog
email
exec
suspend
single
halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Rationale:

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Severity:

medium

Identifiers:

CCE-82678-4

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui:	3.3.1
disa:	CCI-001855
hipaa:	164.312(a)(2)(ii)
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nist:	AU-5(1), AU-5(2), AU-5(4), AU-5(b), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000343-GPOS-00134
pcidss:	Req-10.7
pcidss4:	10.5, 10.5.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_data_retention_space_left_action:def:1

Title:

Configure auditd space_left Action on Low Disk Space

Description:

space_left_action setting in /etc/audit/auditd.conf is set to a certain action

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_data_retention_space_left_action:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_freq

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set freq to 50 in /etc/audit/auditd.conf.

Rationale:

If option freq isn't set to 50, the flush to disk may happen after higher number of records, increasing the danger of audit loss.

Severity:

medium

Identifiers:

CCE-82512-5

References:

disa:	CCI-000154
nist:	CM-6
os-srg:	SRG-OS-000051-GPOS-00024
ospp:	FAU_GEN.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_freq:def:1

Title:

Set number of records to cause an explicit flush to audit logs

Description:

Ensure 'freq' is configured with value '50' in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_freq:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_local_events

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.

Rationale:

If option local_events isn't set to yes only events from network will be aggregated.

Severity:

medium

Identifiers:

CCE-82509-1

References:

disa:	CCI-000169, CCI-000366
nist:	CM-6
os-srg:	SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_local_events:def:1

Title:

Include Local Events in Audit Logs

Description:

Ensure 'local_events' is configured with value 'yes' in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_local_events:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

low

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_log_format

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.

Rationale:

If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them.

Severity:

low

Identifiers:

CCE-82511-7

References:

disa:	CCI-000366, CCI-001487
nist:	AU-3, CM-6
os-srg:	SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
ospp:	FAU_GEN.1.2
stigid:	CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_log_format:def:1

Title:

Resolve information before writing to audit logs

Description:

Ensure 'log_format' is configured with value 'ENRICHED' in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_log_format:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_name_format

Result:

fail

Time:

2025-04-03T20:56:28+00:00

Description:

To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.

Rationale:

If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.

Severity:

medium

Identifiers:

CCE-82513-3

References:

disa:	CCI-000132, CCI-001851
nist:	AU-3, CM-6
os-srg:	SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
ospp:	FAU_GEN.1.2
pcidss4:	10.2, 10.2.2

Warnings:

General warning

Whenever the variable

var_auditd_name_format

uses a multiple value option, for example

A|B|C

, the first value will be used when remediating this rule.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_name_format:def:1

Title:

Set type of computer node name logging in audit logs

Description:

Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_name_format:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_auditd_write_logs

Result:

pass

Time:

2025-04-03T20:56:28+00:00

Description:

To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.

Rationale:

If write_logs isn't set to yes, the Audit logs will not be written to the disk.

Severity:

medium

Identifiers:

CCE-82510-9

References:

disa:	CCI-000366
nist:	CM-6
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-auditd_write_logs:def:1

Title:

Write Audit Logs to the Disk

Description:

Ensure 'write_logs' is configured with value 'yes' in /etc/audit/auditd.conf

Version:

OVAL graph of OVAL definition: oval:ssg-auditd_write_logs:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_banner_etc_issue

Result:

fail

Time:

2025-04-03T20:55:24+00:00

Description:

To configure the system login banner create a file under /etc/issue.d The Machine Configuration provided with this rule is generic. You may need to adjust it accordingly to fit your usecase. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.

-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

To address this, please create a MachineConfig object with the appropriate text in a drop-in file in /etc/issue.d/. You can also use the supplied remediation, which will be available based on scan results using `oc get remediations`. The default remediation is opinionated and you may need to adjust the MachineConfig accordingly for your use case. Do not try to edit /etc/issue directly as this is a symlink provided by the Operating System.

For example, if you're using the DoD required text, the manifest would look as follows:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-etc-issue
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
        mode: 0644
        path: /etc/issue.d/legal-notice
        overwrite: true

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Severity:

medium

Identifiers:

CCE-82555-4

References:

cis-csc:	1, 12, 15, 16
cobit5:	DSS05.04, DSS05.10, DSS06.10
cui:	3.1.9
disa:	CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388
isa-62443-2009:	4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013:	A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nist:	AC-8(a), AC-8(c)
nist-csf:	PR.AC-7
os-srg:	SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
    machineconfiguration.openshift.io/role: worker
  name: 75-banner-etc-issue
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
        mode: 0644
        path: /etc/issue.d/legal-notice
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-banner_etc_issue:def:1

Title:

Modify the System Login Banner

Description:

The system login banner text should be set correctly.

Version:

OVAL graph of OVAL definition: oval:ssg-banner_etc_issue:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

unknown

notchecked

Rule ID:

xccdf_org.ssgproject.content_rule_bios_disable_usb_boot

Result:

notchecked

Time:

2025-04-03T20:56:03+00:00

Description:

Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives.

Rationale:

Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS.

Severity:

unknown

Identifiers:

CCE-82662-8

References:

cis-csc:	12, 16
cobit5:	APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
disa:	CCI-001250
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
iso27001-2013:	A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
nist:	CM-6(a), CM-7(b), MP-7
nist-csf:	PR.AC-3, PR.AC-6

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_chronyd_client_only

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.

Rationale:

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Severity:

low

Identifiers:

CCE-82465-6

References:

disa:	CCI-000381, CCI-000382
nist:	AU-12(1), AU-8(1)
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000096-GPOS-00050
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

OVAL definition:

Definition ID:

oval:ssg-chronyd_client_only:def:1

Title:

Disable chrony daemon from acting as server

Description:

Configure the port setting in /etc/chrony.conf to disable server operation.

Version:

OVAL graph of OVAL definition: oval:ssg-chronyd_client_only:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_chrony

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.

Rationale:

Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.

Severity:

low

Identifiers:

CCE-82466-4

References:

disa:	CCI-000381, CCI-000382
nist:	CM-7(1)
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000096-GPOS-00050

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

OVAL definition:

Definition ID:

oval:ssg-chronyd_no_chronyc_network:def:1

Title:

Disable network management of chrony daemon

Description:

Configure the cmdport setting in /etc/chrony.conf to disable chronyc management connections over network.

Version:

OVAL graph of OVAL definition: oval:ssg-chronyd_no_chronyc_network:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_chrony

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

The maxpoll should be configured to 10 in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) add the following after each server, pool or peer entry:

maxpoll 10

to server directives. If using chrony, any pool directives should be configured too.

Note that if the remediation shipping with this content is being used, the MachineConfig shipped does not include reference NTP servers to point to. It is up to the admin to set these which will vary depending on the cluster's requirements.

The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

If we'd like to set a configuration like the following:

pool 2.rhel.pool.ntp.org iburst

server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10

This could be done with to the following manifest:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-chrony-servers
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
        mode: 0600
        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
        overwrite: true

Note that this needs to be done for each

MachineConfigPool

Rationale:

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Severity:

medium

Identifiers:

CCE-82684-2

References:

cis-csc:	1, 14, 15, 16, 3, 5, 6
cobit5:	APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-001890, CCI-004923, CCI-004926
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nist:	AU-12(1), AU-8(1)(b), CM-6(a)
nist-csf:	PR.PT-1
os-srg:	SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

OVAL definition:

Definition ID:

oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1

Title:

Configure Time Service Maxpoll Interval

Description:

Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers.

Version:

OVAL graph of OVAL definition: oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_chrony_or_package_ntp

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:

if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.

Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:

server ntpserver

The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

If we'd like to set a configuration like the following:

pool 2.rhel.pool.ntp.org iburst

server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10

This could be done with to the following manifest:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-chrony-servers
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
        mode: 0600
        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
        overwrite: true

Note that this needs to be done for each

MachineConfigPool

Rationale:

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Severity:

medium

Identifiers:

CCE-82685-9

References:

cis-csc:	1, 14, 15, 16, 3, 5, 6
cobit5:	APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
ism:	0988, 1405
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nist:	AU-12(1), AU-8(1)(a), AU-8(2), CM-6(a)
nist-csf:	PR.PT-1
pcidss:	Req-10.4.3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

OVAL definition:

Definition ID:

oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1

Title:

Specify Additional Remote NTP Servers

Description:

Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)

Version:

OVAL graph of OVAL definition: oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_chrony_or_package_ntp

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:

if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.

Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server ntpserver

This instructs the NTP software to contact that remote server to obtain time data.

The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

If we'd like to set a configuration like the following:

pool 2.rhel.pool.ntp.org iburst

server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10

This could be done with to the following manifest:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-chrony-servers
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
        mode: 0600
        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
        overwrite: true

Note that this needs to be done for each

MachineConfigPool

Rationale:

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Severity:

medium

Identifiers:

CCE-82683-4

References:

cis-csc:	1, 14, 15, 16, 3, 5, 6
cobit5:	APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
cui:	3.3.7
disa:	CCI-000160, CCI-001891
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nist:	AU-12(1), AU-8(1)(a), AU-8(2), CM-6(a)
nist-csf:	PR.PT-1
pcidss:	Req-10.4.1, Req-10.4.3
stigid:	CNTR-OS-000230, CNTR-OS-000240, SRG-APP-000116-CTR-000235

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

OVAL definition:

Definition ID:

oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1

Title:

Specify a Remote NTP Server

Description:

A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)

Version:

OVAL graph of OVAL definition: oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_chrony_or_package_ntp

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_configure_crypto_policy

Result:

fail

Time:

2025-04-03T20:55:24+00:00

Description:

To configure the system cryptography policy to use ciphers only from the FIPS policy, create a MachineConfig as follows:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 50-master-configure-crypto-policy
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
        - name: configure-crypto-policy.service
          enabled: true
          contents: |
            [Unit]
            Before=kubelet.service
            [Service]
            Type=oneshot
            ExecStart=update-crypto-policies --set FIPS
            RemainAfterExit=yes
            [Install]
            WantedBy=multi-user.target

This will configure the crypto policy appropriately in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Rationale:

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Severity:

high

Identifiers:

CCE-82541-4

References:

disa:	CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002450, CCI-002890, CCI-003123
hipaa:	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
ism:	1446
nerc-cip:	CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nist:	AC-17(2), AC-17(a), CM-6(a), MA-4(6), SC-12(2), SC-12(3), SC-13
os-srg:	SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176
ospp:	FCS_CKM.1, FCS_CKM.2, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_TLSC_EXT.1
pcidss4:	2.2, 2.2.7

Warnings:

General warning

The system needs to be rebooted for these changes to take effect.

Regulatory warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
        - name: configure-crypto-policy.service
          enabled: true
          contents: |
            [Unit]
            Before=kubelet.service
            [Service]
            Type=oneshot
            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
            RemainAfterExit=yes
            [Install]
            WantedBy=multi-user.target

OVAL definition:

Definition ID:

oval:ssg-configure_crypto_policy:def:1

Title:

Configure System Cryptography Policy

Description:

Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current.

Version:

OVAL graph of OVAL definition: oval:ssg-configure_crypto_policy:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

high

pass

Rule ID:

xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy

Result:

pass

Time:

2025-04-03T20:55:24+00:00

Description:

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.

Rationale:

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

Severity:

high

Identifiers:

CCE-82547-1

References:

disa:	CCI-000803
ism:	0418, 1055, 1402
nerc-cip:	CIP-003-8 R4.2, CIP-007-3 R5.1
nist:	SC-12(2), SC-12(3), SC-13
os-srg:	SRG-OS-000120-GPOS-00061

OVAL definition:

Definition ID:

oval:ssg-configure_kerberos_crypto_policy:def:1

Title:

Configure Kerberos to use System Crypto Policy

Description:

Kerberos should be configured to use the system-wide crypto policy setting.

Version:

OVAL graph of OVAL definition: oval:ssg-configure_kerberos_crypto_policy:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy

Result:

pass

Time:

2025-04-03T20:55:24+00:00

Description:

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.

Rationale:

Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

Severity:

medium

Identifiers:

CCE-82545-5

References:

disa:	CCI-001453
nerc-cip:	CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nist:	AC-17(2), AC-17(a), CM-6(a), MA-4(6), SC-12(2), SC-12(3), SC-13
os-srg:	SRG-OS-000250-GPOS-00093
ospp:	FCS_CKM.1, FCS_CKM.1.1, FCS_CKM.2, FCS_COP.1/ENCRYPT, FCS_COP.1/HASH, FCS_COP.1/KEYHMAC, FCS_COP.1/SIGN, FCS_TLSC_EXT.1, FCS_TLSC_EXT.1.1
pcidss:	Req-2.2

OVAL definition:

Definition ID:

oval:ssg-configure_openssl_crypto_policy:def:1

Title:

Configure OpenSSL library to use System Crypto Policy

Description:

OpenSSL should be configured to use the system-wide crypto policy setting.

Version:

OVAL graph of OVAL definition: oval:ssg-configure_openssl_crypto_policy:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy

Result:

pass

Time:

2025-04-03T20:55:24+00:00

Description:

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.

Rationale:

Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

Severity:

medium

References:

disa:	CCI-001453
hipaa:	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
nerc-cip:	CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nist:	AC-17(2), AC-17(a), CM-6(a), MA-4(6), SC-13
os-srg:	SRG-OS-000250-GPOS-00093
ospp:	FCS_SSHC_EXT.1, FCS_SSHS_EXT.1, FCS_SSH_EXT.1
pcidss:	Req-2.2
pcidss4:	2.2, 2.2.7

OVAL definition:

Definition ID:

oval:ssg-configure_ssh_crypto_policy:def:1

Title:

Configure SSH to use System Crypto Policy

Description:

SSH should be configured to use the system-wide crypto policy setting.

Version:

OVAL graph of OVAL definition: oval:ssg-configure_ssh_crypto_policy:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

low

notapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend

Result:

notapplicable

Time:

2025-04-03T20:56:23+00:00

Description:

To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.

Rationale:

Using the Linux Audit logging allows for centralized trace of events.

Severity:

low

Identifiers:

CCE-82538-0

References:

disa:	CCI-000169
nist:	AU-2, CM-8(3), IA-3
os-srg:	SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030, SRG-APP-000141-CTR-000315

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
    complianceascode.io/ocp-version: '>=4.7.0'
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }}
        mode: 0600
        path: /etc/usbguard/usbguard-daemon.conf
        overwrite: true

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_s390x_arch_and_system_with_kernel

CPE platform required by rule:

#package_usbguard

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coredump_disable_backtraces

Result:

fail

Time:

2025-04-03T20:56:13+00:00

Description:

The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.

Rationale:

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.

Severity:

medium

Identifiers:

CCE-82529-9

References:

disa:	CCI-000366
nist:	CM-6
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-3.2
pcidss4:	3.3, 3.3.1, 3.3.1.1

Warnings:

General warning

If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        mode: 0644
        path: /etc/systemd/coredump.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-coredump_disable_backtraces:def:1

Title:

Disable core dump backtraces

Description:

Ensure 'ProcessSizeMax' is configured with value '0 in section 'Coredump' in /etc/systemd/coredump.conf

Version:

OVAL graph of OVAL definition: oval:ssg-coredump_disable_backtraces:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#package_systemd

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coredump_disable_storage

Result:

fail

Time:

2025-04-03T20:56:13+00:00

Description:

The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.

Rationale:

Severity:

medium

Identifiers:

CCE-82528-1

References:

disa:	CCI-000366
nist:	CM-6
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-3.2
pcidss4:	3.3, 3.3.1, 3.3.1.1

Warnings:

General warning

If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        mode: 0644
        path: /etc/systemd/coredump.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-coredump_disable_storage:def:1

Title:

Disable storing core dump

Description:

Ensure 'Storage' is configured with value 'none in section 'Coredump' in /etc/systemd/coredump.conf

Version:

OVAL graph of OVAL definition: oval:ssg-coredump_disable_storage:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#package_systemd

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale:

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

Severity:

medium

Identifiers:

CCE-82671-9

References:

nist:	CM-6(a)
os-srg:	SRG-OS-000254-GPOS-00095
stigid:	CNTR-OS-000170, CNTR-OS-000220, SRG-APP-000092-CTR-000165

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - audit_backlog_limit=8192

OVAL definition:

Definition ID:

oval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1

Title:

Extend Audit Backlog Limit for the Audit Daemon

Description:

Ensure audit_backlog_limit=8192 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_audit_option

Result:

fail

Time:

2025-04-03T20:56:25+00:00

Description:

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale:

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Severity:

medium

Identifiers:

CCE-82670-1

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.3.1
disa:	CCI-000130, CCI-001464
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nerc-cip:	CIP-004-6 R3.3, CIP-007-3 R7.1
nist:	AC-17(1), AU-10, AU-14(1), CM-6(a), IR-5(1)
nist-csf:	DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
pcidss:	Req-10.3
stigid:	CNTR-OS-000170, CNTR-OS-000220, SRG-APP-000092-CTR-000165

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - audit=1

OVAL definition:

Definition ID:

oval:ssg-coreos_audit_option:def:1

Title:

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Description:

Ensure audit=1 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_audit_option:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot

Result:

pass

Time:

2025-04-03T20:55:26+00:00

Description:

Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument.

Rationale:

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Severity:

medium

Identifiers:

CCE-83548-8

References:

cis-csc:	11, 12, 14, 15, 16, 18, 3, 5
cobit5:	DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui:	3.1.2, 3.4.5
disa:	CCI-000213
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013:	A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), SC-2(1)
nist-csf:	PR.AC-4, PR.AC-6, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

OVAL definition:

Definition ID:

oval:ssg-coreos_disable_interactive_boot:def:1

Title:

Verify that Interactive Boot is Disabled

Description:

Ensure systemd.confirm_spawn=(?:1|yes|true|on) argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_disable_interactive_boot:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument

Result:

pass

Time:

2025-04-03T20:56:14+00:00

Description:

SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale:

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Severity:

medium

Identifiers:

CCE-83899-5

References:

bsi:	APP.4.4.A4, SYS.1.6.A18, SYS.1.6.A21, SYS.1.6.A3
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5:	APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
cui:	3.1.2, 3.7.2
disa:	CCI-000022, CCI-000032
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-2009:	4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-3, AC-3(3)(a)
nist-csf:	DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
stigid:	CNTR-OS-000540, SRG-APP-000233-CTR-000585

OVAL definition:

Definition ID:

oval:ssg-coreos_enable_selinux_kernel_argument:def:1

Title:

Ensure SELinux Not Disabled in the kernel arguments

Description:

Ensure selinux=0 argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_enable_selinux_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, Add the nousb kernel argument via a MachineConfig object.

Rationale:

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

Severity:

medium

Identifiers:

CCE-83443-2

References:

cis-csc:	12, 16
cobit5:	APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
disa:	CCI-001250
hipaa:	164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
iso27001-2013:	A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
nist:	CM-6(a), MP-7
nist-csf:	PR.AC-3, PR.AC-6

Warnings:

Functionality warning

Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - nousb

OVAL definition:

Definition ID:

oval:ssg-coreos_nousb_kernel_argument:def:1

Title:

Disable Kernel Support for USB via Bootloader Configuration

Description:

Ensure nousb argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_nousb_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument

Result:

fail

Time:

2025-04-03T20:56:14+00:00

Description:

To enable poisoning of free pages, add the argument page_poison=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale:

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Severity:

medium

Identifiers:

CCE-82673-5

References:

nist:	CM-6(a)
stigid:	CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610, SRG-APP-000243-CTR-000600

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - page_poison=1

OVAL definition:

Definition ID:

oval:ssg-coreos_page_poison_kernel_argument:def:1

Title:

Enable page allocator poisoning

Description:

Ensure page_poison=1 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_page_poison_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

To enable Kernel page-table isolation, add the argument pti=on to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale:

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

Severity:

high

Identifiers:

CCE-82497-9

References:

nist:	SI-16
os-srg:	SRG-OS-000433-GPOS-00193

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - pti=on

OVAL definition:

Definition ID:

oval:ssg-coreos_pti_kernel_argument:def:1

Title:

Enable Kernel Page-Table Isolation (KPTI)

Description:

Ensure pti=on argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_pti_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#grub2_and_system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

To disable use of virtual syscalls, add the argument vsyscall=none to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale:

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

Severity:

medium

Identifiers:

CCE-82674-3

References:

nist:	CM-7(a)
os-srg:	SRG-OS-000480-GPOS-00227
stigid:	CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610, SRG-APP-000243-CTR-000600

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
    - vsyscall=none

OVAL definition:

Definition ID:

oval:ssg-coreos_vsyscall_kernel_argument:def:1

Title:

Disable vsyscalls

Description:

Ensure vsyscall=none argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.

Version:

OVAL graph of OVAL definition: oval:ssg-coreos_vsyscall_kernel_argument:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#grub2_and_system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_directory_access_var_log_audit

Result:

fail

Time:

2025-04-03T20:56:26+00:00

Description:

The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. Set ARCH to either b32 for 32-bit system, or have two lines for both b32 and b64 in case your system is 64-bit.

-a always,exit -F arch=ARCH -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file.

Rationale:

Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.'

Severity:

medium

Identifiers:

CCE-82712-1

References:

nist:	AC-6(9), AU-12(c), AU-2(d), CM-6(a)
pcidss4:	10.3, 10.3.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
#

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
        mode: 0600
        path: /etc/audit/rules.d/30-access-var-log-audit.rules
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-directory_access_var_log_audit:def:1

Title:

Record Access Events to Audit Log Directory

Description:

Audit rules about the read events to /var/log/audit

Version:

OVAL graph of OVAL definition: oval:ssg-directory_access_var_log_audit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit

Result:

pass

Time:

2025-04-03T20:56:26+00:00

Description:

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:

$ sudo chmod 0750 /var/log/audit

Otherwise, change the mode of the audit log files with the following command:

$ sudo chmod 0700 /var/log/audit

Rationale:

If users can write to audit logs, audit trails can be modified or destroyed.

Severity:

medium

Identifiers:

CCE-82692-5

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cobit5:	APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
disa:	CCI-000162, CCI-000163, CCI-000164
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5
nist:	AC-6(1), AU-9, CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

OVAL definition:

Definition ID:

oval:ssg-directory_permissions_var_log_audit:def:1

Title:

System Audit Logs Must Have Mode 0750 or Less Permissive

Description:

Checks for correct permissions for audit logs.

Version:

OVAL graph of OVAL definition: oval:ssg-directory_permissions_var_log_audit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, create a MachineConfig similar to the following:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-disable-ctrlaltdel-burstaction
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,CtrlAltDelBurstAction%3Dnone
        mode: 0644
        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
        overwrite: true
EOF

This will add the relevant configuration to /etc/systemd/system.conf.d/, thus configuring Systemd apropriately.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Severity:

high

Identifiers:

CCE-82495-3

References:

cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
cui:	3.4.5
disa:	CCI-000366, CCI-002235
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), CM-6(a), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
ospp:	FAU_GEN.1.2

Warnings:

Functionality warning

Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,CtrlAltDelBurstAction%3Dnone
        mode: 0644
        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-disable_ctrlaltdel_burstaction:def:1

Title:

Disable Ctrl-Alt-Del Burst Action

Description:

Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf or /etc/systemd/system.conf.d/* to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds.

Version:

OVAL graph of OVAL definition: oval:ssg-disable_ctrlaltdel_burstaction:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_systemd

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, create a MachineConfig similar to the following:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-disable-ctrlaltdel-reboot
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: ctrl-alt-del.target
        mask: true
EOF

This will mask the ctrl-alt-del.target systemd target for all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

Severity:

high

Identifiers:

CCE-82493-8

References:

cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
cui:	3.4.5
disa:	CCI-000366, CCI-002235
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
ospp:	FAU_GEN.1.2

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: ctrl-alt-del.target
        mask: true

OVAL definition:

Definition ID:

oval:ssg-disable_ctrlaltdel_reboot:def:1

Title:

Disable Ctrl-Alt-Del Reboot Activation

Description:

By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed.

Version:

OVAL graph of OVAL definition: oval:ssg-disable_ctrlaltdel_reboot:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_disable_users_coredumps

Result:

fail

Time:

2025-04-03T20:56:13+00:00

Description:

To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:

*     hard   core    0

Rationale:

Severity:

medium

Identifiers:

CCE-82526-5

References:

cis-csc:	1, 12, 13, 15, 16, 2, 7, 8
cobit5:	APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07
disa:	CCI-000366
isa-62443-2013:	SR 6.2, SR 7.1, SR 7.2
iso27001-2013:	A.12.1.3, A.17.2.1
nist:	CM-6, SC-7(10)
nist-csf:	DE.CM-1, PR.DS-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	3.3, 3.3.1, 3.3.1.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
        mode: 0644
        path: /etc/security/limits.d/75-disable_users_coredumps.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-disable_users_coredumps:def:1

Title:

Disable Core Dumps for All Users

Description:

Core dumps for all users should be disabled

Version:

OVAL graph of OVAL definition: oval:ssg-disable_users_coredumps:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#package_pam

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_enable_fips_mode

Result:

fail

Time:

2025-04-03T20:55:24+00:00

Description:

OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag

fips: true

must be enabled at install time in the

install-config.yaml

file. If this rule fails on an installed cluster, then this is a permanent finding and cannot be fixed.

Rationale:

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Severity:

high

Identifiers:

CCE-82540-6

References:

disa:	CCI-000068, CCI-000877, CCI-002418, CCI-002450
ism:	1446
nerc-cip:	CIP-003-8 R4.2, CIP-007-3 R5.1
nist:	CM-3(6), CM-6(a), IA-7, SC-12, SC-12(2), SC-12(3), SC-13
os-srg:	SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
ospp:	FCS_CKM.1, FCS_CKM.2, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_RBG_EXT.1, FCS_TLSC_EXT.1

Warnings:

General warning

To configure Red Hat Enterprise Linux CoreOS 4 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Only enabling FIPS 140 mode during the Red Hat Enterprise Linux CoreOS 4 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.

Regulatory warning

This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. This rule checks if the system is running in FIPS mode.

OVAL definition:

Definition ID:

oval:ssg-enable_fips_mode:def:1

Title:

Enable FIPS Mode

Description:

Check if FIPS mode is enabled on the system

Version:

OVAL graph of OVAL definition: oval:ssg-enable_fips_mode:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_osbuild_and_system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_ensure_logrotate_activated

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task or a timer. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Rationale:

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Severity:

medium

Identifiers:

CCE-82689-1

References:

anssi:	R71
cis-csc:	1, 14, 15, 16, 3, 5, 6
cobit5:	APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000366
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nist:	CM-6(a)
nist-csf:	PR.PT-1
pcidss:	Req-10.7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }}
        mode: 0644
        path: /etc/logrotate.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-ensure_logrotate_activated:def:1

Title:

Ensure Logrotate Runs Periodically

Description:

The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily

Version:

OVAL graph of OVAL definition: oval:ssg-ensure_logrotate_activated:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_logrotate

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

To properly set the group owner of /etc/ssh/sshd_config, run the command:

$ sudo chgrp root /etc/ssh/sshd_config

Rationale:

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Severity:

medium

References:

anssi:	R50
cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
disa:	CCI-000366
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-17(a), AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227

OVAL definition:

Definition ID:

oval:ssg-file_groupowner_sshd_config:def:1

Title:

Verify Group Who Owns SSH Server config file

Description:

This test makes sure that /etc/ssh/sshd_config is group owned by 0.

Version:

OVAL graph of OVAL definition: oval:ssg-file_groupowner_sshd_config:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_owner_sshd_config

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

To properly set the owner of /etc/ssh/sshd_config, run the command:

$ sudo chown root /etc/ssh/sshd_config

Rationale:

Severity:

medium

References:

anssi:	R50
cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
disa:	CCI-000366
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-17(a), AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227

OVAL definition:

Definition ID:

oval:ssg-file_owner_sshd_config:def:1

Title:

Verify Owner on SSH Server config file

Description:

This test makes sure that /etc/ssh/sshd_config is owned by 0.

Version:

OVAL graph of OVAL definition: oval:ssg-file_owner_sshd_config:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit

Result:

pass

Time:

2025-04-03T20:56:26+00:00

Description:

All audit logs must be owned by root user and group. By default, the path for audit log is

/var/log/audit/

. To properly set the owner of /var/log/audit, run the command:

$ sudo chown root /var/log/audit

To properly set the owner of /var/log/audit/*, run the command:

$ sudo chown root /var/log/audit/*

Rationale:

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Severity:

medium

Identifiers:

CCE-82691-7

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
cui:	3.3.1
disa:	CCI-000162, CCI-000163, CCI-000164, CCI-001314
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), AU-9(4), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
pcidss:	Req-10.5.1
pcidss4:	10.3, 10.3.2
stigid:	CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300, SRG-APP-000118-CTR-000240

OVAL definition:

Definition ID:

oval:ssg-file_ownership_var_log_audit:def:1

Title:

System Audit Logs Must Be Owned By Root

Description:

Checks that all /var/log/audit files and directories are owned by the root user and group.

Version:

OVAL graph of OVAL definition: oval:ssg-file_ownership_var_log_audit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_permissions_sshd_config

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

To properly set the permissions of /etc/ssh/sshd_config, run the command:

$ sudo chmod 0600 /etc/ssh/sshd_config

Rationale:

Severity:

medium

References:

anssi:	R50
cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
disa:	CCI-000366
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-17(a), AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	2.2, 2.2.6

OVAL definition:

Definition ID:

oval:ssg-file_permissions_sshd_config:def:1

Title:

Verify Permissions on SSH Server config file

Description:

This test makes sure that /etc/ssh/sshd_config has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check.

Version:

OVAL graph of OVAL definition: oval:ssg-file_permissions_sshd_config:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.

Rationale:

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Severity:

medium

References:

anssi:	R50
cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.13, 3.13.10
disa:	CCI-000366
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-17(a), AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-2.2.4
pcidss4:	2.2, 2.2.6

Warnings:

General warning

Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.

OVAL definition:

Definition ID:

oval:ssg-file_permissions_sshd_private_key:def:1

Title:

Verify Permissions on SSH Server Private *_key Key Files

Description:

The system sshd key is owned by root:root and has the 0600 permission, or by a root:ssh_keys with the 0640 permission

Version:

OVAL graph of OVAL definition: oval:ssg-file_permissions_sshd_private_key:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

To properly set the permissions of /etc/ssh/*.pub, run the command:

$ sudo chmod 0644 /etc/ssh/*.pub

Rationale:

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Severity:

medium

References:

anssi:	R50
cis-csc:	12, 13, 14, 15, 16, 18, 3, 5
cobit5:	APO01.06, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.13, 3.13.10
disa:	CCI-000366
isa-62443-2009:	4.3.3.7.3
isa-62443-2013:	SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-17(a), AC-6(1), CM-6(a)
nist-csf:	PR.AC-4, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-2.2.4
pcidss4:	2.2, 2.2.6

Warnings:

General warning

Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.

OVAL definition:

Definition ID:

oval:ssg-file_permissions_sshd_pub_key:def:1

Title:

Verify Permissions on SSH Server Public *.pub Key Files

Description:

This test makes sure that /etc/ssh/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check.

Version:

OVAL graph of OVAL definition: oval:ssg-file_permissions_sshd_pub_key:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit

Result:

pass

Time:

2025-04-03T20:56:26+00:00

Description:

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:

$ sudo chmod 0600 audit_log_file

By default, audit_log_file is "/var/log/audit/audit.log".

Rationale:

If users can write to audit logs, audit trails can be modified or destroyed.

Severity:

medium

Identifiers:

CCE-82690-9

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis:	5.4.1.1
cobit5:	APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
cui:	3.3.1
disa:	CCI-000162, CCI-000163, CCI-000164, CCI-001314
isa-62443-2009:	4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), AU-9(4), CM-6(a)
nist-csf:	DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
pcidss:	Req-10.5
pcidss4:	10.3, 10.3.1
stigid:	CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300, SRG-APP-000118-CTR-000240

OVAL definition:

Definition ID:

oval:ssg-file_permissions_var_log_audit:def:1

Title:

System Audit Logs Must Have Mode 0640 or Less Permissive

Description:

Checks for correct permissions for all audit log files.

Version:

OVAL graph of OVAL definition: oval:ssg-file_permissions_var_log_audit:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

#package_audit

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:

install atm /bin/false

Rationale:

Disabling ATM protects the system against exploitation of any flaws in its implementation.

Severity:

medium

Identifiers:

CCE-82518-2

References:

disa:	CCI-000381
nist:	AC-18
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20atm%20/bin/false%0Ablacklist%20atm%0A
        mode: 0644
        path: /etc/modprobe.d/atm.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_atm_disabled:def:1

Title:

Disable ATM Support

Description:

The kernel module atm should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_atm_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled

Result:

fail

Time:

2025-04-03T20:56:00+00:00

Description:

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:

install bluetooth /bin/true

Rationale:

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Severity:

medium

Identifiers:

CCE-82515-8

References:

cis-csc:	11, 12, 14, 15, 3, 8, 9
cjis:	5.13.1.3
cobit5:	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
cui:	3.1.16
disa:	CCI-000381, CCI-001443
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist:	AC-18(3), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20bluetooth%20/bin/false%0Ablacklist%20bluetooth%0A
        mode: 0644
        path: /etc/modprobe.d/bluetooth.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_bluetooth_disabled:def:1

Title:

Disable Bluetooth Kernel Module

Description:

The kernel module bluetooth should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_bluetooth_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_can_disabled

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:

install can /bin/false

Rationale:

Disabling CAN protects the system against exploitation of any flaws in its implementation.

Severity:

medium

Identifiers:

CCE-82519-0

References:

disa:	CCI-000381
nist:	AC-18
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20can%20/bin/false%0Ablacklist%20can%0A
        mode: 0644
        path: /etc/modprobe.d/can.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_can_disabled:def:1

Title:

Disable CAN Support

Description:

The kernel module can should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_can_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled

Result:

fail

Time:

2025-04-03T20:56:00+00:00

Description:

To configure the system to prevent the cfg80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/cfg80211.conf:

install cfg80211 /bin/false

Rationale:

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Severity:

medium

Identifiers:

CCE-85932-2

References:

nist:

AC-18(3), AC-18(4), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20cfg80211%20/bin/false%0Ablacklist%20cfg80211%0A
        mode: 0644
        path: /etc/modprobe.d/cfg80211.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_cfg80211_disabled:def:1

Title:

Disable Kernel cfg80211 Module

Description:

The kernel module cfg80211 should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_cfg80211_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:

install cramfs /bin/false

This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the server.

Severity:

low

Identifiers:

CCE-82514-1

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
disa:	CCI-000381
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000095-GPOS-00049

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20cramfs%20/bin/false%0Ablacklist%20cramfs%0A
        mode: 0644
        path: /etc/modprobe.d/cramfs.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_cramfs_disabled:def:1

Title:

Disable Mounting of cramfs

Description:

The kernel module cramfs should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_cramfs_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:

install firewire-core /bin/false

Rationale:

Disabling FireWire protects the system against exploitation of any flaws in its implementation.

Severity:

low

Identifiers:

CCE-82517-4

References:

disa:	CCI-000381
nist:	AC-18
os-srg:	SRG-OS-000095-GPOS-00049

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20firewire-core%20/bin/false%0Ablacklist%20firewire-core%0A
        mode: 0644
        path: /etc/modprobe.d/firewire-core.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_firewire-core_disabled:def:1

Title:

Disable IEEE 1394 (FireWire) Support

Description:

The kernel module firewire-core should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_firewire-core_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:

install freevxfs /bin/false

This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:

low

Identifiers:

CCE-82713-9

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20freevxfs%20/bin/false%0Ablacklist%20freevxfs%0A
        mode: 0644
        path: /etc/modprobe.d/freevxfs.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_freevxfs_disabled:def:1

Title:

Disable Mounting of freevxfs

Description:

The kernel module freevxfs should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_freevxfs_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the hfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:

install hfs /bin/false

This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:

low

Identifiers:

CCE-82714-7

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20hfs%20/bin/false%0Ablacklist%20hfs%0A
        mode: 0644
        path: /etc/modprobe.d/hfs.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_hfs_disabled:def:1

Title:

Disable Mounting of hfs

Description:

The kernel module hfs should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_hfs_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:

install hfsplus /bin/false

This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:

low

Identifiers:

CCE-82715-4

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20hfsplus%20/bin/false%0Ablacklist%20hfsplus%0A
        mode: 0644
        path: /etc/modprobe.d/hfsplus.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_hfsplus_disabled:def:1

Title:

Disable Mounting of hfsplus

Description:

The kernel module hfsplus should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_hfsplus_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled

Result:

fail

Time:

2025-04-03T20:56:00+00:00

Description:

To configure the system to prevent the iwlmvm kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlmvm.conf:

install iwlmvm /bin/false

Rationale:

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Severity:

medium

Identifiers:

CCE-85933-0

References:

nist:

AC-18(3), AC-18(4), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20iwlmvm%20/bin/false%0Ablacklist%20iwlmvm%0A
        mode: 0644
        path: /etc/modprobe.d/iwlmvm.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_iwlmvm_disabled:def:1

Title:

Disable Kernel iwlmvm Module

Description:

The kernel module iwlmvm should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_iwlmvm_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled

Result:

fail

Time:

2025-04-03T20:56:00+00:00

Description:

To configure the system to prevent the iwlwifi kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlwifi.conf:

install iwlwifi /bin/false

Rationale:

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Severity:

medium

Identifiers:

CCE-85934-8

References:

nist:

AC-18(3), AC-18(4), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20iwlwifi%20/bin/false%0Ablacklist%20iwlwifi%0A
        mode: 0644
        path: /etc/modprobe.d/iwlwifi.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_iwlwifi_disabled:def:1

Title:

Disable Kernel iwlwifi Module

Description:

The kernel module iwlwifi should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_iwlwifi_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:

install jffs2 /bin/false

This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:

low

Identifiers:

CCE-82716-2

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20jffs2%20/bin/false%0Ablacklist%20jffs2%0A
        mode: 0644
        path: /etc/modprobe.d/jffs2.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_jffs2_disabled:def:1

Title:

Disable Mounting of jffs2

Description:

The kernel module jffs2 should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_jffs2_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled

Result:

fail

Time:

2025-04-03T20:56:00+00:00

Description:

To configure the system to prevent the mac80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/mac80211.conf:

install mac80211 /bin/false

Rationale:

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Severity:

medium

Identifiers:

CCE-85935-5

References:

nist:

AC-18(3), AC-18(4), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20mac80211%20/bin/false%0Ablacklist%20mac80211%0A
        mode: 0644
        path: /etc/modprobe.d/mac80211.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_mac80211_disabled:def:1

Title:

Disable Kernel mac80211 Module

Description:

The kernel module mac80211 should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_mac80211_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:

install sctp /bin/false

Rationale:

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Severity:

medium

Identifiers:

CCE-82516-6

References:

cis-csc:	11, 14, 3, 9
cjis:	5.10.1
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
disa:	CCI-000381
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1
pcidss:	Req-1.4.2
pcidss4:	1.4, 1.4.2

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20sctp%20/bin/false%0Ablacklist%20sctp%0A
        mode: 0644
        path: /etc/modprobe.d/sctp.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_sctp_disabled:def:1

Title:

Disable SCTP Support

Description:

The kernel module sctp should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_sctp_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:

install squashfs /bin/false

This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system.

Severity:

low

Identifiers:

CCE-82717-0

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20squashfs%20/bin/false%0Ablacklist%20squashfs%0A
        mode: 0644
        path: /etc/modprobe.d/squashfs.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_squashfs_disabled:def:1

Title:

Disable Mounting of squashfs

Description:

The kernel module squashfs should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_squashfs_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:

install tipc /bin/false

Rationale:

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Severity:

low

Identifiers:

CCE-82520-8

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
disa:	CCI-000381
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000095-GPOS-00049
ospp:	FMT_SMF_EXT.1

Warnings:

General warning

This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the tipc kernel module will be loaded.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20tipc%20/bin/false%0Ablacklist%20tipc%0A
        mode: 0644
        path: /etc/modprobe.d/tipc.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_tipc_disabled:def:1

Title:

Disable TIPC Support

Description:

The kernel module tipc should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_tipc_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:

install udf /bin/false

This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system.

Severity:

low

Identifiers:

CCE-82718-8

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.4.6
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20udf%20/bin/false%0Ablacklist%20udf%0A
        mode: 0644
        path: /etc/modprobe.d/udf.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_udf_disabled:def:1

Title:

Disable Mounting of udf

Description:

The kernel module udf should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_udf_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled

Result:

fail

Time:

2025-04-03T20:56:03+00:00

Description:

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:

install usb-storage /bin/false

This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale:

USB storage devices such as thumb drives can be used to introduce malicious software.

Severity:

medium

Identifiers:

CCE-82719-6

References:

cis-csc:	1, 12, 15, 16, 5
cobit5:	APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui:	3.1.21
disa:	CCI-000778, CCI-001958, CCI-003959
hipaa:	164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
iso27001-2013:	A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nist:	CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
os-srg:	SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
pcidss4:	3.4, 3.4.2
stigid:	CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030, SRG-APP-000141-CTR-000315

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20usb-storage%20/bin/false%0Ablacklist%20usb-storage%0A
        mode: 0644
        path: /etc/modprobe.d/usb-storage.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-kernel_module_usb-storage_disabled:def:1

Title:

Disable Modprobe Loading of USB Storage Driver

Description:

The kernel module usb-storage should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-kernel_module_usb-storage_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_no_direct_root_logins

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux CoreOS 4's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command:

$ sudo echo > /etc/securetty

Rationale:

Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.

Severity:

medium

Identifiers:

CCE-82698-2

References:

anssi:	R33
cis-csc:	1, 12, 15, 16, 5
cobit5:	DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui:	3.1.1, 3.1.6
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013:	A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	CM-6(a), IA-2
nist-csf:	PR.AC-1, PR.AC-6, PR.AC-7
pcidss4:	8.6, 8.6.1

Warnings:

General warning

This rule only checks the /etc/securetty file existence and its content. If you need to restrict user access using the /etc/securetty file, make sure the pam_securetty.so PAM module is properly enabled in relevant PAM files.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,
        mode: 0600
        path: /etc/securetty
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-no_direct_root_logins:def:1

Title:

Direct root Logins Not Allowed

Description:

Preventing direct root logins help ensure accountability for actions taken on the system using the root account.

Version:

OVAL graph of OVAL definition: oval:ssg-no_direct_root_logins:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

high

fail

Rule ID:

xccdf_org.ssgproject.content_rule_no_empty_passwords

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.

Rationale:

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Severity:

high

Identifiers:

CCE-82553-9

References:

cis-csc:	1, 12, 13, 14, 15, 16, 18, 3, 5
cjis:	5.5.2
cobit5:	APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
cui:	3.1.1, 3.1.5
disa:	CCI-000366
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nist:	CM-6(a), IA-5(1)(a), IA-5(c)
nist-csf:	PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
os-srg:	SRG-OS-000480-GPOS-00227
ospp:	FIA_UAU.1
pcidss:	Req-8.2.3
pcidss4:	8.3, 8.3.1

Warnings:

General warning

If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        mode: 0644
        path: /etc/pam.d/password-auth
        overwrite: true
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        mode: 0644
        path: /etc/pam.d/system-auth
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-no_empty_passwords:def:1

Title:

Prevent Login to Accounts With Empty Password

Description:

The file /etc/pam.d/system-auth should not contain the nullok option

Version:

OVAL graph of OVAL definition: oval:ssg-no_empty_passwords:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_no_netrc_files

Result:

pass

Time:

2025-04-03T20:55:26+00:00

Description:

The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.

Rationale:

Unencrypted passwords for remote FTP servers may be stored in .netrc files.

Severity:

medium

Identifiers:

CCE-82667-7

References:

cis-csc:	1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5:	DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
disa:	CCI-000196
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013:	A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	CM-6(a), IA-5(1)(c), IA-5(7), IA-5(h)
nist-csf:	PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3

OVAL definition:

Definition ID:

oval:ssg-no_netrc_files:def:1

Title:

Verify No netrc Files Exist

Description:

The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.

Version:

OVAL graph of OVAL definition: oval:ssg-no_netrc_files:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts

Result:

pass

Time:

2025-04-03T20:55:26+00:00

Description:

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command:

$ sudo usermod -s /sbin/nologin account

Rationale:

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

Severity:

medium

Identifiers:

CCE-82697-4

References:

cis-csc:	1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cobit5:	DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03
disa:	CCI-000366
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
ism:	1491
iso27001-2013:	A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nist:	AC-6, CM-6(a), CM-6(b), CM-6.1(iv)
nist-csf:	DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	8.2, 8.2.2

Warnings:

Functionality warning

Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

OVAL definition:

Definition ID:

oval:ssg-no_shelllogin_for_systemaccounts:def:1

Title:

Ensure that System Accounts Do Not Run a Shell Upon Login

Description:

The root account is the only system account that should have a login shell.

Version:

OVAL graph of OVAL definition: oval:ssg-no_shelllogin_for_systemaccounts:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_no_tmux_in_shells

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.

Rationale:

Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

Severity:

low

References:

disa:	CCI-000056, CCI-002235
nist:	CM-6
os-srg:	SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000324-GPOS-00125
ospp:	FMT_MOF_EXT.1, FMT_SMF_EXT.1, FTA_SSL.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A
        mode: 0644
        path: /etc/shells
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-no_tmux_in_shells:def:1

Title:

Prevent user from disabling the screen lock

Description:

Check that tmux is not listed in /etc/shells

Version:

OVAL graph of OVAL definition: oval:ssg-no_tmux_in_shells:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_package_audit_installed

Result:

pass

Time:

2025-04-03T20:56:23+00:00

Description:

The audit package should be installed.

Rationale:

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

Severity:

medium

Identifiers:

CCE-82669-3

References:

anssi:	R33, R73
disa:	CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000159, CCI-000169, CCI-000172, CCI-001464, CCI-001487, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-003938
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
nerc-cip:	CIP-004-6 R3.3, CIP-007-3 R6.5
nist:	AC-7(a), AU-12(2), AU-14, AU-2(a), AU-7(1), AU-7(2), CM-6(a)
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
ospp:	FAU_GEN.1
pcidss:	Req-10.1
pcidss4:	10.2, 10.2.1

OVAL definition:

Definition ID:

oval:ssg-package_audit_installed:def:1

Title:

Ensure the audit Subsystem is Installed

Description:

The RPM package audit should be installed.

Version:

OVAL graph of OVAL definition: oval:ssg-package_audit_installed:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

notapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_package_iptables-nft_installed

Result:

notapplicable

Time:

2025-04-03T20:55:26+00:00

Description:

The iptables-nft package can be installed with the following command:

$ sudo dnf install iptables-nft

Rationale:

iptables-nft controls the Linux kernel network packet filtering code. iptables-nft allows system operators to set up firewalls and IP masquerading, etc.

Severity:

medium

Identifiers:

CCE-86834-9

References:

nist:

CM-6(a)

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#rhcos4-rhel9

medium

notapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_package_iptables_installed

Result:

notapplicable

Time:

2025-04-03T20:55:28+00:00

Description:

The iptables package can be installed with the following command:

$ sudo dnf install iptables

Rationale:

iptables controls the Linux kernel network packet filtering code. iptables allows system operators to set up firewalls and IP masquerading, etc.

Severity:

medium

Identifiers:

CCE-82522-4

References:

nist:	CM-6(a)
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#not_rhcos4-rhel9_and_service_disabled_nftables_and_service_disabled_ufw_and_system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_package_sudo_installed

Result:

pass

Time:

2025-04-03T20:55:24+00:00

Description:

The sudo package can be installed with the following command:

$ sudo dnf install sudo

Rationale:

sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

Severity:

medium

Identifiers:

CCE-82523-2

References:

anssi:	R33
disa:	CCI-002235
ism:	1382, 1384, 1386
nist:	CM-6(a)
os-srg:	SRG-OS-000324-GPOS-00125
ospp:	FMT_MOF_EXT.1
pcidss4:	2.2, 2.2.6

OVAL definition:

Definition ID:

oval:ssg-package_sudo_installed:def:1

Title:

Install sudo Package

Description:

The RPM package sudo should be installed.

Version:

OVAL graph of OVAL definition: oval:ssg-package_sudo_installed:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_package_usbguard_installed

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

The usbguard package can be installed with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-usbguard-install
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
    - usbguard

This will install the usbguard package in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

Severity:

medium

Identifiers:

CCE-82524-0

References:

disa:	CCI-001958, CCI-003959
ism:	1418
nist:	CM-8(3), IA-3
os-srg:	SRG-OS-000378-GPOS-00163
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030, SRG-APP-000141-CTR-000315

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
    - usbguard

OVAL definition:

Definition ID:

oval:ssg-package_usbguard_installed:def:1

Title:

Install usbguard Package

Description:

The RPM package usbguard should be installed.

Version:

OVAL graph of OVAL definition: oval:ssg-package_usbguard_installed:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_s390x_arch_and_system_with_kernel

low

notchecked

Rule ID:

xccdf_org.ssgproject.content_rule_partition_for_var_log

Result:

notchecked

Time:

2025-04-03T20:55:24+00:00

Description:

System logs are stored in the /var/log directory.

Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig manifest that specifies a separate /var/log partition, follow: https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic

Note that the Red Hat OpenShift documentation often references a block device, such as /dev/vda. The name of the available block devices depends on the underlying infrastructure (bare metal vs cloud), and often the specific instance type. For example in AWS, some instance types have NVMe drives (/dev/nvme*), others use /dev/xvda*. You will need to look for relevant documentation for your infrastructure around this. In many cases, the simplest thing is to boot a single machine with an Ignition configuration that just gives you SSH access, and inspect the block devices via e.g. the lsblk command. For physical hardware, a good best practice is to reference devices via the /dev/disk/by-id/ or /dev/disk/by-path links.

Rationale:

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Severity:

low

Identifiers:

CCE-82737-8

References:

anssi:	R28
cis-csc:	1, 12, 14, 15, 16, 3, 5, 6, 8
cobit5:	APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000366
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3
nerc-cip:	CIP-007-3 R6.5
nist:	AU-4, CM-6(a), SC-5(2)
nist-csf:	PR.PT-1, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_bootc_and_not_container

low

notchecked

Rule ID:

xccdf_org.ssgproject.content_rule_partition_for_var_log_audit

Result:

notchecked

Time:

2025-04-03T20:55:24+00:00

Description:

Audit logs are stored in the /var/log/audit directory.

Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig manifest that specifies a separate /var/log/audit partition, follow: https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic

Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale:

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Severity:

low

Identifiers:

CCE-82738-6

References:

anssi:	R71
cis-csc:	1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8
cobit5:	APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01
disa:	CCI-000366, CCI-001849
hipaa:	164.312(a)(2)(ii)
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1
nerc-cip:	CIP-007-3 R6.5
nist:	AU-4, CM-6(a), SC-5(2)
nist-csf:	PR.DS-4, PR.PT-1, PR.PT-4
os-srg:	SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-000200, CNTR-OS-000670, SRG-APP-000357-CTR-000800

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_bootc_and_not_container

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_require_singleuser_auth

Result:

pass

Time:

2025-04-03T20:55:26+00:00

Description:

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.

Rationale:

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Severity:

medium

Identifiers:

CCE-82550-5

References:

cis-csc:	1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5:	DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui:	3.1.1, 3.4.5
disa:	CCI-000213
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
ism:	0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013:	A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-3, CM-6(a), IA-2
nist-csf:	PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
os-srg:	SRG-OS-000080-GPOS-00048
ospp:	FIA_UAU.1

OVAL definition:

Definition ID:

oval:ssg-require_singleuser_auth:def:1

Title:

Require Authentication for Single User Mode

Description:

The requirement for a password to boot into single-user mode should be configured correctly.

Version:

OVAL graph of OVAL definition: oval:ssg-require_singleuser_auth:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_selinux_policytype

Result:

pass

Time:

2025-04-03T20:56:14+00:00

Description:

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=targeted

Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale:

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.

Severity:

medium

Identifiers:

CCE-82532-3

References:

anssi:	R46, R64
bsi:	APP.4.4.A4, SYS.1.6.A18, SYS.1.6.A21, SYS.1.6.A3
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5:	APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
cui:	3.1.2, 3.7.2
disa:	CCI-002696
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-2009:	4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nist:	AC-3, AC-3(3)(a), AU-9, SC-7(21)
nist-csf:	DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000445-GPOS-00199
ospp:	FMT_MOF_EXT.1
pcidss4:	1.2, 1.2.6
stigid:	CNTR-OS-000540, SRG-APP-000233-CTR-000585

OVAL definition:

Definition ID:

oval:ssg-selinux_policytype:def:1

Title:

Configure SELinux Policy

Description:

Ensure 'SELINUXTYPE' is configured with value configured through XCCDF variable var_selinux_policy_name' in /etc/selinux/config

Version:

OVAL graph of OVAL definition: oval:ssg-selinux_policytype:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

high

pass

Rule ID:

xccdf_org.ssgproject.content_rule_selinux_state

Result:

pass

Time:

2025-04-03T20:56:14+00:00

Description:

The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=enforcing

Rationale:

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Severity:

high

Identifiers:

CCE-82531-5

References:

anssi:	R37, R79
bsi:	APP.4.4.A4, SYS.1.6.A18, SYS.1.6.A21, SYS.1.6.A3
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5:	APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
cui:	3.1.2, 3.7.2
disa:	CCI-001084, CCI-002696
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-2009:	4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nist:	AC-3, AC-3(3)(a), AU-9, SC-7(21)
nist-csf:	DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000134-GPOS-00068, SRG-OS-000445-GPOS-00199
ospp:	FMT_MOF_EXT.1
pcidss4:	1.2, 1.2.6
stigid:	CNTR-OS-000540

OVAL definition:

Definition ID:

oval:ssg-selinux_state:def:1

Title:

Ensure SELinux State is Enforcing

Description:

The SELinux state should be enforcing the local policy.

Version:

OVAL graph of OVAL definition: oval:ssg-selinux_state:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_service_auditd_enabled

Result:

pass

Time:

2025-04-03T20:56:25+00:00

Description:

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-auditd-enable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: auditd.service
        enabled: true

This will enable the auditd service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Severity:

medium

Identifiers:

CCE-82463-1

References:

anssi:	R33, R73
cis-csc:	1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis:	5.4.1.1
cobit5:	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui:	3.3.1, 3.3.2, 3.3.6
disa:	CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000169, CCI-000172, CCI-001464, CCI-001487, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-003938, CCI-004188
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
isa-62443-2009:	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nerc-cip:	CIP-004-6 R3.3, CIP-007-3 R6.5
nist:	AC-2(g), AC-6(9), AU-10, AU-12(c), AU-14(1), AU-2(d), AU-3, CM-6(a), SI-4(23)
nist-csf:	DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
os-srg:	SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
ospp:	FAU_GEN.1
pcidss:	Req-10.1
pcidss4:	10.2, 10.2.1
stigid:	CNTR-OS-000150, CNTR-OS-000180, SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: auditd.service
        enabled: true

OVAL definition:

Definition ID:

oval:ssg-service_auditd_enabled:def:1

Title:

Enable auditd Service

Description:

The auditd service should be enabled if possible.

Version:

OVAL graph of OVAL definition: oval:ssg-service_auditd_enabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

CPE platform required by rule:

#package_audit

medium

notapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_service_autofs_disabled

Result:

notapplicable

Time:

2025-04-03T20:56:03+00:00

Description:

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-autofs-disable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: autofs.service
        enabled: false
        mask: true
      - name: autofs.socket
        enabled: false
        mask: true

This will disable the autofs service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Severity:

medium

Identifiers:

CCE-82663-6

References:

cis-csc:	1, 12, 15, 16, 5
cobit5:	APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui:	3.4.6
disa:	CCI-000366, CCI-000778, CCI-001958
hipaa:	164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
iso27001-2013:	A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nist:	CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
os-srg:	SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Remediation script


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: autofs.service
        enabled: false
        mask: true
      - name: autofs.socket
        enabled: false
        mask: true

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: autofs.service
        enabled: false
        mask: true
      - name: autofs.socket
        enabled: false
        mask: true

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#package_autofs_and_system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_service_bluetooth_disabled

Result:

pass

Time:

2025-04-03T20:56:00+00:00

Description:

The bluetooth service can be disabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-bluetooth-disable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: bluetooth.service
        enabled: false
        mask: true
      - name: bluetooth.socket
        enabled: false
        mask: true

This will disable the bluetooth service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

$ sudo service bluetooth stop

Rationale:

Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

Severity:

medium

References:

cis-csc:	11, 12, 14, 15, 3, 8, 9
cobit5:	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
cui:	3.1.16
disa:	CCI-000085, CCI-001551
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist:	AC-18(3), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Remediation script


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: bluetooth.service
        enabled: false
        mask: true
      - name: bluetooth.socket
        enabled: false
        mask: true

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: bluetooth.service
        enabled: false
        mask: true
      - name: bluetooth.socket
        enabled: false
        mask: true

OVAL definition:

Definition ID:

oval:ssg-service_bluetooth_disabled:def:1

Title:

Disable Bluetooth Service

Description:

The bluetooth service should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-service_bluetooth_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled

Result:

pass

Time:

2025-04-03T20:56:20+00:00

Description:

As a user with administrator privileges, log into a node in the relevant pool:

$ oc debug node/$NODE_NAME

At the

sh-4.4#

prompt, run:

# chroot /host

Run the following command to determine the current status of the chronyd service:

$ sudo systemctl is-active chronyd

If the service is running, it should return the following:

active

Note: The chronyd daemon is enabled by default.

As a user with administrator privileges, log into a node in the relevant pool:

$ oc debug node/$NODE_NAME

At the

sh-4.4#

prompt, run:

# chroot /host

Run the following command to determine the current status of the ntpd service:

$ sudo systemctl is-active ntpd

If the service is running, it should return the following:

active

Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used.

Rationale:

Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.

Severity:

medium

Identifiers:

CCE-82682-6

References:

anssi:	R71
cis-csc:	1, 14, 15, 16, 3, 5, 6
cobit5:	APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
cui:	3.3.7
disa:	CCI-000160
isa-62443-2009:	4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013:	SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
ism:	0988, 1405
iso27001-2013:	A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nist:	AU-12(1), AU-8(1)(a), CM-6(a)
nist-csf:	PR.PT-1
pcidss:	Req-10.4.1
pcidss4:	10.6, 10.6.1
stigid:	CNTR-OS-000230, CNTR-OS-000240, SRG-APP-000116-CTR-000235

OVAL definition:

Definition ID:

oval:ssg-service_chronyd_or_ntpd_enabled:def:1

Title:

Enable the NTP Daemon

Description:

At least one of the chronyd or ntpd services should be enabled if possible.

Version:

OVAL graph of OVAL definition: oval:ssg-service_chronyd_or_ntpd_enabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_service_debug-shell_disabled

Result:

fail

Time:

2025-04-03T20:55:26+00:00

Description:

SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-debug-shell-disable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: debug-shell.service
        enabled: false
        mask: true
      - name: debug-shell.socket
        enabled: false
        mask: true

This will disable the debug-shell service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Severity:

medium

Identifiers:

CCE-82496-1

References:

cui:	3.4.5
disa:	CCI-000366, CCI-002235
hipaa:	164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
nist:	CM-6
os-srg:	SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
ospp:	FIA_UAU.1

Remediation script


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: debug-shell.service
        enabled: false
        mask: true
      - name: debug-shell.socket
        enabled: false
        mask: true

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: debug-shell.service
        enabled: false
        mask: true
      - name: debug-shell.socket
        enabled: false
        mask: true

OVAL definition:

Definition ID:

oval:ssg-service_debug-shell_disabled:def:1

Title:

Disable debug-shell SystemD Service

Description:

The debug-shell service should be disabled.

Version:

OVAL graph of OVAL definition: oval:ssg-service_debug-shell_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled

Result:

fail

Time:

2025-04-03T20:56:13+00:00

Description:

The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.

Rationale:

Severity:

medium

Identifiers:

CCE-82530-7

References:

disa:	CCI-000366
nist:	SC-7(10)
os-srg:	SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1

OVAL definition:

Definition ID:

oval:ssg-service_systemd-coredump_disabled:def:1

Title:

Disable acquiring, saving, and processing core dumps

Description:

Disable systemd-coredump.socket

Version:

OVAL graph of OVAL definition: oval:ssg-service_systemd-coredump_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_service_usbguard_enabled

Result:

fail

Time:

2025-04-03T20:56:23+00:00

Description:

The USBGuard service should be enabled. The usbguard service can be enabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-usbguard-enable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

This will enable the usbguard service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale:

The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.

Severity:

medium

Identifiers:

CCE-82537-2

References:

disa:	CCI-001958, CCI-003959
ism:	1418
nist:	CM-8(3)(a), IA-3
os-srg:	SRG-OS-000378-GPOS-00163
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030, SRG-APP-000141-CTR-000315

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

OVAL definition:

Definition ID:

oval:ssg-service_usbguard_enabled:def:1

Title:

Enable the USBGuard Service

Description:

The usbguard service should be enabled if possible.

Version:

OVAL graph of OVAL definition: oval:ssg-service_usbguard_enabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_s390x_arch_and_system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sshd_disable_rhosts

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

Rationale:

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Severity:

medium

Identifiers:

CCE-82665-1

References:

cis-csc:	11, 12, 14, 15, 16, 18, 3, 5, 9
cjis:	5.5.6
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui:	3.1.12
disa:	CCI-000366
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	AC-17(a), CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	2.2, 2.2.6

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sshd_disable_rhosts:def:1

Title:

Disable SSH Support for .rhosts Files

Description:

Ensure 'IgnoreRhosts' is configured with value 'yes' in /etc/ssh/sshd_config

Version:

OVAL graph of OVAL definition: oval:ssg-sshd_disable_rhosts:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

unknown

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sshd_limit_user_access

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.

Rationale:

Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system.

Severity:

unknown

Identifiers:

CCE-82664-4

References:

cis-csc:	11, 12, 14, 15, 16, 18, 3, 5
cobit5:	DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui:	3.1.12
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013:	A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-3, CM-6(a)
nist-csf:	PR.AC-4, PR.AC-6, PR.PT-3
pcidss:	Req-2.2.4
pcidss4:	2.2, 2.2.6

Warnings:

General warning

Automated remediation is not available for this configuration check because each system has unique user names and group names.

OVAL definition:

Definition ID:

oval:ssg-sshd_limit_user_access:def:1

Title:

Limit Users' SSH Access

Description:

One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.

Version:

OVAL graph of OVAL definition: oval:ssg-sshd_limit_user_access:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval 300

The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale:

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

Severity:

medium

Identifiers:

CCE-82549-7

References:

cis-csc:	1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cjis:	5.5.6
cobit5:	APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui:	3.1.11
disa:	CCI-001133, CCI-002361, CCI-002891
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-12, AC-17(a), AC-17(a), AC-2(5), CM-6(a), CM-6(a), SC-10
nist-csf:	DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
os-srg:	SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
pcidss:	Req-8.1.8
pcidss4:	8.2, 8.2.8

Warnings:

Dependency warning

SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.

General warning

Following conditions may prevent the SSH session to time out:

Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
Any scp or sftp activity by the same user to the host resets the timeout.

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sshd_set_idle_timeout:def:1

Title:

Set SSH Client Alive Interval

Description:

The SSH idle timeout interval should be set to an appropriate value.

Version:

OVAL graph of OVAL definition: oval:ssg-sshd_set_idle_timeout:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sshd_set_keepalive

Result:

fail

Time:

2025-04-03T20:56:20+00:00

Description:

The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.

Rationale:

This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

Severity:

medium

Identifiers:

CCE-82464-9

References:

cis-csc:	1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cjis:	5.5.6
cobit5:	APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui:	3.1.11
disa:	CCI-001133, CCI-002361
hipaa:	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-2009:	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
iso27001-2013:	A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cip:	CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nist:	AC-12, AC-17(a), AC-2(5), CM-6(a), SC-10
nist-csf:	DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
os-srg:	SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
pcidss:	Req-8.1.8
pcidss4:	8.2, 8.2.8

Remediation Kubernetes snippet


Complexity:	low
Disruption:	low
Strategy:	restrict

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sshd_set_keepalive:def:1

Title:

Set SSH Client Alive Count Max

Description:

Ensure 'ClientAliveCountMax' is configured with value configured in var_sshd_set_keepalive variable in /etc/ssh/sshd_config

Version:

OVAL graph of OVAL definition: oval:ssg-sshd_set_keepalive:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks

Result:

pass

Time:

2025-04-03T20:56:01+00:00

Description:

To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_hardlinks=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_hardlinks = 1

Rationale:

By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Severity:

medium

Identifiers:

CCE-82506-7

References:

anssi:	R14
disa:	CCI-002165, CCI-002235
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), CM-6(a)
os-srg:	SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,fs.protected_hardlinks%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_fs_protected_hardlinks:def:1

Title:

Enable Kernel Parameter to Enforce DAC on Hardlinks

Description:

The 'fs.protected_hardlinks' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_fs_protected_hardlinks:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks

Result:

pass

Time:

2025-04-03T20:56:03+00:00

Description:

To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_symlinks=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_symlinks = 1

Rationale:

By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Severity:

medium

Identifiers:

CCE-82507-5

References:

anssi:	R14
disa:	CCI-002165, CCI-002235
nerc-cip:	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist:	AC-6(1), CM-6(a)
os-srg:	SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,fs.protected_symlinks%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_fs_protected_symlinks:def:1

Title:

Enable Kernel Parameter to Enforce DAC on Symlinks

Description:

The 'fs.protected_symlinks' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_fs_protected_symlinks:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern

Result:

fail

Time:

2025-04-03T20:56:04+00:00

Description:

To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:

$ sudo sysctl -w kernel.core_pattern=|/bin/false

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.core_pattern = |/bin/false

Rationale:

Severity:

medium

Identifiers:

CCE-82527-3

References:

disa:	CCI-000366
nist:	SC-7(10)
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	3.3, 3.3.1, 3.3.1.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_core_pattern:def:1

Title:

Disable storing core dumps

Description:

The 'kernel.core_pattern' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_core_pattern:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict

Result:

fail

Time:

2025-04-03T20:56:05+00:00

Description:

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.dmesg_restrict=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.dmesg_restrict = 1

Rationale:

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Severity:

low

Identifiers:

CCE-82499-5

References:

anssi:	R9
cui:	3.1.5
disa:	CCI-001082, CCI-001090
hipaa:	164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
nist:	SI-11(a), SI-11(b)
os-srg:	SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610, SRG-APP-000243-CTR-000600

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.dmesg_restrict%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_dmesg_restrict:def:1

Title:

Restrict Access to Kernel Message Buffer

Description:

The 'kernel.dmesg_restrict' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_dmesg_restrict:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled

Result:

fail

Time:

2025-04-03T20:56:07+00:00

Description:

To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.kexec_load_disabled=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.kexec_load_disabled = 1

Rationale:

Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.

Severity:

medium

Identifiers:

CCE-82500-0

References:

disa:	CCI-000366, CCI-003992
nist:	CM-6
os-srg:	SRG-OS-000366-GPOS-00153, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.kexec_load_disabled%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_kexec_load_disabled:def:1

Title:

Disable Kernel Image Loading

Description:

The 'kernel.kexec_load_disabled' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_kexec_load_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict

Result:

pass

Time:

2025-04-03T20:56:14+00:00

Description:

To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.kptr_restrict=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.kptr_restrict = 1

Rationale:

Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.

Severity:

medium

Identifiers:

CCE-82498-7

References:

anssi:	R9
disa:	CCI-000366, CCI-001082, CCI-002824
nerc-cip:	CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4
nist:	CM-6(a), SC-30, SC-30(2), SC-30(5)
os-srg:	SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.kptr_restrict%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_kptr_restrict:def:1

Title:

Restrict Exposed Kernel Pointer Addresses Access

Description:

The 'kernel.kptr_restrict' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_kptr_restrict:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

low

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid

Result:

fail

Time:

2025-04-03T20:56:08+00:00

Description:

To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:

$ sudo sysctl -w kernel.perf_event_paranoid=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.perf_event_paranoid = 2

Rationale:

Kernel profiling can reveal sensitive information about kernel behaviour.

Severity:

low

Identifiers:

CCE-82502-6

References:

anssi:	R9
disa:	CCI-001082, CCI-001090
nist:	AC-6
os-srg:	SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610, SRG-APP-000243-CTR-000600

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.perf_event_paranoid%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_perf_event_paranoid:def:1

Title:

Disallow kernel profiling by unprivileged users

Description:

The 'kernel.perf_event_paranoid' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_perf_event_paranoid:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled

Result:

fail

Time:

2025-04-03T20:56:10+00:00

Description:

To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.unprivileged_bpf_disabled = 1

Rationale:

Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.

Severity:

medium

Identifiers:

CCE-82504-2

References:

anssi:	R9
disa:	CCI-000366, CCI-001082
nist:	AC-6, SC-7(10)
os-srg:	SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1

Title:

Disable Access to Network bpf() Syscall From Unprivileged Processes

Description:

The 'kernel.unprivileged_bpf_disabled' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope

Result:

fail

Time:

2025-04-03T20:56:11+00:00

Description:

To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:

$ sudo sysctl -w kernel.yama.ptrace_scope=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.yama.ptrace_scope = 1

Rationale:

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

Severity:

medium

Identifiers:

CCE-82501-8

References:

anssi:	R11
disa:	CCI-000366, CCI-001082
nist:	SC-7(10)
os-srg:	SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
ospp:	FMT_SMF_EXT.1

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.yama.ptrace_scope%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1

Title:

Restrict usage of ptrace to descendant processes

Description:

The 'kernel.yama.ptrace_scope' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden

Result:

fail

Time:

2025-04-03T20:56:12+00:00

Description:

To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:

$ sudo sysctl -w net.core.bpf_jit_harden=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.core.bpf_jit_harden = 2

Rationale:

When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.

Severity:

medium

Identifiers:

CCE-82505-9

References:

anssi:	R12
disa:	CCI-000366
nist:	CM-6, SC-7(10)
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.core.bpf_jit_harden%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_core_bpf_jit_harden:def:1

Title:

Harden the operation of the BPF just-in-time compiler

Description:

The 'net.core.bpf_jit_harden' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_core_bpf_jit_harden:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects

Result:

fail

Time:

2025-04-03T20:55:39+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_redirects = 0

Rationale:

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

Severity:

medium

Identifiers:

CCE-82469-8

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b), SC-7(a)
nist-csf:	DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1

Title:

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.accept_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route

Result:

fail

Time:

2025-04-03T20:55:40+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_source_route = 0

Rationale:

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Severity:

medium

Identifiers:

CCE-82478-9

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-6(a), CM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1

Title:

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.accept_source_route' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

unknown

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians

Result:

fail

Time:

2025-04-03T20:55:42+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.log_martians = 1

Rationale:

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Severity:

unknown

Identifiers:

CCE-82486-2

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5:	APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
nist:	CM-7(a), CM-7(b), SC-5(3)(a)
nist-csf:	DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.log_martians%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1

Title:

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.log_martians' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter

Result:

fail

Time:

2025-04-03T20:55:43+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.rp_filter = 1

Rationale:

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Severity:

medium

Identifiers:

CCE-82488-8

References:

anssi:	R12
cis-csc:	1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cobit5:	APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013:	SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b), SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.3

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1

Title:

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.rp_filter' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects

Result:

fail

Time:

2025-04-03T20:55:44+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.secure_redirects = 0

Rationale:

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Severity:

medium

Identifiers:

CCE-82482-1

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-001503, CCI-001551
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b), SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.3

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1

Title:

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.secure_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects

Result:

fail

Time:

2025-04-03T20:55:56+00:00

Description:

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.send_redirects = 0

Rationale:

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Severity:

medium

Identifiers:

CCE-82484-7

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-6(a), CM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	1.4, 1.4.5

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1

Title:

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Description:

The 'net.ipv4.conf.all.send_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects

Result:

fail

Time:

2025-04-03T20:55:46+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_redirects = 0

Rationale:

Severity:

medium

Identifiers:

CCE-82470-6

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b), SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.3

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1

Title:

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Description:

The 'net.ipv4.conf.default.accept_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route

Result:

pass

Time:

2025-04-03T20:55:47+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_source_route = 0

Rationale:

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Severity:

medium

Identifiers:

CCE-82479-7

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1

Title:

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Description:

The 'net.ipv4.conf.default.accept_source_route' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

unknown

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians

Result:

fail

Time:

2025-04-03T20:55:48+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.log_martians = 1

Rationale:

Severity:

unknown

Identifiers:

CCE-82487-0

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5:	APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
nist:	CM-7(a), CM-7(b), SC-5(3)(a)
nist-csf:	DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.log_martians%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1

Title:

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Description:

The 'net.ipv4.conf.default.log_martians' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter

Result:

fail

Time:

2025-04-03T20:55:50+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.rp_filter = 1

Rationale:

Severity:

medium

Identifiers:

CCE-82489-6

References:

anssi:	R12
cis-csc:	1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cobit5:	APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013:	SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b), SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.rp_filter%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1

Title:

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Description:

The 'net.ipv4.conf.default.rp_filter' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects

Result:

fail

Time:

2025-04-03T20:55:51+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale:

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Severity:

medium

Identifiers:

CCE-82483-9

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-001551
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1

Title:

Configure Kernel Parameter for Accepting Secure Redirects By Default

Description:

The 'net.ipv4.conf.default.secure_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects

Result:

fail

Time:

2025-04-03T20:55:58+00:00

Description:

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.send_redirects = 0

Rationale:

Severity:

medium

Identifiers:

CCE-82485-4

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-6(a), CM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss4:	1.4, 1.4.5

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1

Title:

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Description:

The 'net.ipv4.conf.default.send_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Result:

fail

Time:

2025-04-03T20:55:52+00:00

Description:

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale:

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Severity:

medium

Identifiers:

CCE-82491-2

References:

cis-csc:	1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-7(a), CM-7(b), SC-5
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.2

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1

Title:

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Description:

The 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

unknown

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Result:

fail

Time:

2025-04-03T20:55:54+00:00

Description:

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale:

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Severity:

unknown

Identifiers:

CCE-82490-4

References:

anssi:	R12
cis-csc:	1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5:	APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
nerc-cip:	CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nist:	CM-7(a), CM-7(b), SC-5
nist-csf:	DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.2

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1

Title:

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Description:

The 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies

Result:

fail

Time:

2025-04-03T20:55:55+00:00

Description:

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.tcp_syncookies = 1

Rationale:

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Severity:

medium

Identifiers:

CCE-82492-0

References:

anssi:	R12
cis-csc:	1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cjis:	5.10.1.1
cobit5:	APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.20
disa:	CCI-000366, CCI-001095, CCI-002385
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013:	SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a)
nist-csf:	DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
os-srg:	SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186, SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.1
pcidss4:	1.4, 1.4.3

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.tcp_syncookies%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1

Title:

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Description:

The 'net.ipv4.tcp_syncookies' kernel parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra

Result:

fail

Time:

2025-04-03T20:55:31+00:00

Description:

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_ra = 0

Rationale:

An illicit router advertisement message could result in a man-in-the-middle attack.

Severity:

medium

Identifiers:

CCE-82467-2

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.all.accept_ra%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1

Title:

Configure Accepting Router Advertisements on All IPv6 Interfaces

Description:

The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects

Result:

fail

Time:

2025-04-03T20:55:32+00:00

Description:

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_redirects = 0

Rationale:

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Severity:

medium

Identifiers:

CCE-82471-4

References:

anssi:	R13
cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-6(b), CM-6.1(iv), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1

Title:

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Description:

The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route

Result:

fail

Time:

2025-04-03T20:55:34+00:00

Description:

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_source_route = 0

Rationale:

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Severity:

medium

Identifiers:

CCE-82480-5

References:

anssi:	R13
cis-csc:	1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
cobit5:	APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013:	SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1

Title:

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Description:

The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra

Result:

fail

Time:

2025-04-03T20:55:35+00:00

Description:

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_ra = 0

Rationale:

An illicit router advertisement message could result in a man-in-the-middle attack.

Severity:

medium

Identifiers:

CCE-82468-0

References:

cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.default.accept_ra%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1

Title:

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Description:

The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects

Result:

fail

Time:

2025-04-03T20:55:36+00:00

Description:

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_redirects = 0

Rationale:

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Severity:

medium

Identifiers:

CCE-82477-1

References:

anssi:	R13
cis-csc:	11, 14, 3, 9
cobit5:	BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013:	A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nist:	CM-6(a), CM-7(a), CM-7(b)
nist-csf:	PR.IP-1, PR.PT-3
os-srg:	SRG-OS-000480-GPOS-00227

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1

Title:

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Description:

The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route

Result:

fail

Time:

2025-04-03T20:55:38+00:00

Description:

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_source_route = 0

Rationale:

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Severity:

medium

Identifiers:

CCE-82481-3

References:

anssi:	R13
cis-csc:	1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
cobit5:	APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui:	3.1.20
disa:	CCI-000366
isa-62443-2009:	4.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013:	SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nist:	CM-6(a), CM-6(b), CM-6.1(iv), CM-7(a), CM-7(b)
nist-csf:	DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
os-srg:	SRG-OS-000480-GPOS-00227
pcidss:	Req-1.4.3
pcidss4:	1.4, 1.4.2

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1

Title:

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Description:

The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in system configuration and system runtime.

Version:

OVAL graph of OVAL definition: oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#ipv6_enabled

CPE platform required by rule:

#system_with_kernel

medium

fail

Rule ID:

xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub

Result:

fail

Time:

2025-04-03T20:56:23+00:00

Description:

To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line allow with-interface match-all { 03:*:* 09:00:* } to /etc/usbguard/rules.conf.

Rationale:

Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system.

Severity:

medium

Identifiers:

CCE-82539-8

References:

nist:	CM-8(3), IA-3
os-srg:	SRG-OS-000114-GPOS-00059
ospp:	FMT_SMF_EXT.1
stigid:	CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030, SRG-APP-000092-CTR-000165

Warnings:

General warning

This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.

Remediation Kubernetes snippet

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }}
        mode: 0600
        path: /etc/usbguard/rules.d/75-hid-and-hub.conf
        overwrite: true

OVAL definition:

Definition ID:

oval:ssg-usbguard_allow_hid_and_hub:def:1

Title:

Authorize Human Interface Devices and USB hubs in USBGuard daemon

Description:

Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.

Version:

OVAL graph of OVAL definition: oval:ssg-usbguard_allow_hid_and_hub:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by group:

#not_s390x_arch_and_system_with_kernel

unknown

notchecked

Rule ID:

xccdf_org.ssgproject.content_rule_wireless_disable_in_bios

Result:

notchecked

Time:

2025-04-03T20:56:00+00:00

Description:

Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot.

Rationale:

Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first.

Severity:

unknown

Identifiers:

CCE-82659-4

References:

cis-csc:	11, 12, 14, 15, 3, 8, 9
cobit5:	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disa:	CCI-000085
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist:	AC-18(3), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#system_with_kernel

medium

notapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_wireless_disable_interfaces

Result:

notapplicable

Time:

2025-04-03T20:56:00+00:00

Description:

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:

$ sudo nmcli radio all off

Rationale:

The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

Severity:

medium

Identifiers:

CCE-82660-2

References:

cis-csc:	11, 12, 14, 15, 3, 8, 9
cobit5:	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
cui:	3.1.16
disa:	CCI-001443, CCI-001444, CCI-002418, CCI-002421
isa-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
ism:	1315, 1319
iso27001-2013:	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist:	AC-18(3), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7
nist-csf:	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srg:	SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-00481
pcidss:	Req-1.3.3
pcidss4:	1.3, 1.3.3

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux_coreos:4 Profile platform

CPE platform required by rule:

#wifi-iface

About profile

Compliance and Scoring

Rule results

Severity of failed rules

Score

Evaluation Characteristics

More Evaluation Characteristics

Rule Overview

Advanced filtering options

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition:

Applicability checks:

OVAL definition: