contains 43 rules |
System Settings
[ref]groupContains rules that check correct system settings. |
contains 30 rules |
Installing and Maintaining Software
[ref]groupThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates. |
contains 10 rules |
Sudo , which stands for "su 'do'", provides the ability to delegate authority
to certain users, groups of users, or system administrators. When configured for system
users and/or groups, Sudo can allow a user or group to execute privileged commands
that normally only root is allowed to execute.
For more information on Sudo and addition Sudo configuration options, see
https://www.sudo.ws.
|
contains 2 rules |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
[ref]ruleThe sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ . Rationale:Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. Identifiers:
CCE-83291-5 References:
BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
tags:
- CCE-83291-5
- DISA-STIG-SLES-15-010450
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
- name: Remove lines containing !authenticate from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+\!authenticate.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
tags:
- CCE-83291-5
- DISA-STIG-SLES-15-010450
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
continue
fi
matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
# comment out "!authenticate" matches to preserve user data
sed -i "s/^${entry}$/# &/g" $f
done <<< "$matching_list"
/usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fi
done
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref]ruleThe sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . Rationale:Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. Identifiers:
CCE-85663-3 References:
BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
tags:
- CCE-85663-3
- DISA-STIG-SLES-15-010450
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_nopasswd
- name: Remove lines containing NOPASSWD from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
tags:
- CCE-85663-3
- DISA-STIG-SLES-15-010450
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_nopasswd
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
continue
fi
matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
# comment out "NOPASSWD" matches to preserve user data
sed -i "s/^${entry}$/# &/g" $f
done <<< "$matching_list"
/usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fi
done
|
Updating Software
[ref]groupThe zypper command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
SUSE Linux Enterprise 15 systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
zypper or the graphical Software Update for all software installation
allows for insight into the current inventory of installed software on the system.
|
contains 8 rules |
Install dnf-automatic Package
[ref]ruleThe dnf-automatic package can be installed with the following command:
$ sudo zypper install dnf-automatic Rationale:dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution. Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
Remediation script: (show)
[[packages]]
name = "dnf-automatic"
version = "*"
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
tags:
- CCE-91163-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
zypper install -y "dnf-automatic"
|
Configure dnf-automatic to Install Available Updates Automatically
[ref]ruleTo ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . Rationale:Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. Identifiers:
CCE-91165-1 References:
BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | unknown |
---|
- name: Configure dnf-automatic to Install Available Updates Automatically
ini_file:
dest: /etc/dnf/automatic.conf
section: commands
option: apply_updates
value: 'yes'
create: true
tags:
- CCE-91165-1
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- dnf-automatic_apply_updates
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
Remediation Shell script: (show)
found=false
# set value in all files if they contain section or key
for f in $(echo -n "/etc/dnf/automatic.conf"); do
if [ ! -e "$f" ]; then
continue
fi
# find key in section and change value
if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" "$f"
found=true
# find section and add key = value to it
elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
sed -i "/[[:space:]]*\[commands\]/a apply_updates = yes" "$f"
found=true
fi
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[commands]\napply_updates = yes" >> "$file"
fi
|
Configure dnf-automatic to Install Only Security Updates
[ref]ruleTo configure dnf-automatic to install only security updates
automatically, set upgrade_type to security under
[commands] section in /etc/dnf/automatic.conf . Rationale:By default, dnf-automatic installs all available updates.
Reducing the amount of updated packages only to updates that were
issued as a part of a security advisory increases the system stability. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | unknown |
---|
- name: Configure dnf-automatic to Install Only Security Updates
ini_file:
dest: /etc/dnf/automatic.conf
section: commands
option: upgrade_type
value: security
create: true
tags:
- CCE-91166-9
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- dnf-automatic_security_updates_only
- low_complexity
- low_severity
- medium_disruption
- no_reboot_needed
- unknown_strategy
Remediation Shell script: (show)
found=false
# set value in all files if they contain section or key
for f in $(echo -n "/etc/dnf/automatic.conf"); do
if [ ! -e "$f" ]; then
continue
fi
# find key in section and change value
if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" "$f"
found=true
# find section and add key = value to it
elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
sed -i "/[[:space:]]*\[commands\]/a upgrade_type = security" "$f"
found=true
fi
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[commands]\nupgrade_type = security" >> "$file"
fi
|
Ensure gpgcheck Enabled In Main zypper Configuration
[ref]ruleThe gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure zypper to check package signatures before installing
them, ensure the following line appears in /etc/zypp/zypp.conf in
the [main] section:
gpgcheck=1 Rationale:Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). Identifiers:
CCE-83290-7 References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, SLES-15-010430, 1.2.3, SV-234852r877463_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | configure |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83290-7
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010430
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure GPG check is globally activated
ini_file:
dest: /etc/zypp/zypp.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: '"zypper" in ansible_facts.packages'
tags:
- CCE-83290-7
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010430
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q zypper; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/zypp/zypp.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/zypp/zypp.conf"
else
if [[ -s "/etc/zypp/zypp.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/zypp/zypp.conf" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/zypp/zypp.conf"
fi
cce="CCE-83290-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/zypp/zypp.conf" >> "/etc/zypp/zypp.conf"
printf '%s\n' "$formatted_output" >> "/etc/zypp/zypp.conf"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure gpgcheck Enabled for Local Packages
[ref]rulezypper should be configured to verify the signature(s) of local packages
prior to installation. To configure zypper to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/zypp/zypp.conf . Rationale:Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. Identifiers:
CCE-91167-7 References:
BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | unknown |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91167-7
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Ensure GPG check Enabled for Local Packages (zypper)
block:
- name: Check stats of zypper
stat:
path: /etc/zypp/zypp.conf
register: pkg
- name: Check if config file of zypper is a symlink
ansible.builtin.set_fact:
pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is match("^/.*")
else "/etc/zypp/zypp.conf" | dirname ~ "/" ~ pkg.stat.lnk_target }}'
when: pkg.stat.lnk_target is defined
- name: Ensure GPG check Enabled for Local Packages (zypper)
ini_file:
dest: '{{ pkg_config_file_symlink | default("/etc/zypp/zypp.conf") }}'
section: main
option: localpkg_gpgcheck
value: 1
no_extra_spaces: true
create: true
when: '"yum" in ansible_facts.packages'
tags:
- CCE-91167-7
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q yum; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/zypp/zypp.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/zypp/zypp.conf"
else
if [[ -s "/etc/zypp/zypp.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/zypp/zypp.conf" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/zypp/zypp.conf"
fi
cce="CCE-91167-7"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/zypp/zypp.conf" >> "/etc/zypp/zypp.conf"
printf '%s\n' "$formatted_output" >> "/etc/zypp/zypp.conf"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Ensure gpgcheck Enabled for All zypper Package Repositories
[ref]ruleTo ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 Rationale:Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." Identifiers:
CCE-85797-9 References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
- name: Grep for zypper repo section names
shell: |
set -o pipefail
grep -HEr '^\[.+\]' -r /etc/zypp/repos.d/
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CCE-85797-9
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Set gpgcheck=1 for each zypper repo
ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
}}'
tags:
- CCE-85797-9
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
Remediation Shell script: (show)
sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
|
Ensure Software Patches Installed
[ref]rule
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.Rationale:Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. Identifiers:
CCE-83261-8 References:
BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, SLES-15-010010, 1.9, SV-234802r622137_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | high |
---|
Reboot: | true |
---|
Strategy: | patch |
---|
- name: Security patches are up to date
package:
name: '*'
state: latest
tags:
- CCE-83261-8
- CJIS-5.10.4.1
- DISA-STIG-SLES-15-010010
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3.3
- high_disruption
- low_complexity
- medium_severity
- patch_strategy
- reboot_required
- security_patches_up_to_date
- skip_ansible_lint
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | high |
---|
Reboot: | true |
---|
Strategy: | patch |
---|
zypper patch -g security -y
|
Enable dnf-automatic Timer
[ref]rule
The dnf-automatic timer can be enabled with the following command:
$ sudo systemctl enable dnf-automatic.timer Rationale:The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar.
The tool is controlled by dnf-automatic.timer SystemD timer. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
- name: Enable timer dnf-automatic
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable timer dnf-automatic
systemd:
name: dnf-automatic.timer
enabled: 'yes'
state: started
when:
- '"dnf-automatic" in ansible_facts.packages'
tags:
- CCE-91164-4
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- timer_dnf-automatic_enabled
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | enable |
---|
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer'
|
Account and Access Control
[ref]groupIn traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
SUSE Linux Enterprise 15. |
contains 13 rules |
Protect Accounts by Configuring PAM
[ref]groupPAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d is
/etc/pam.d/system-auth . This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service. Warning:
Be careful when making changes to PAM's configuration files.
The syntax for these files is complex, and modifications can
have unexpected consequences. The default configurations shipped
with applications should be sufficient for most users. |
contains 11 rules |
Set Lockouts for Failed Password Attempts
[ref]groupThe pam_faillock PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock .
Warning:
Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks. |
contains 4 rules |
Limit Password Reuse
[ref]ruleDo not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_unix or pam_pwhistory PAM modules. Warning:
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. Warning:
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files. Rationale:Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user. Identifiers:
CCE-85678-1 References:
BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(1)(e), IA-5(1).1(v), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, 8.3.7, SRG-OS-000077-GPOS-00045, SLES-15-020250, SV-234894r622137_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | configure |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: XCCDF Value var_password_pam_unix_remember # promote to variable
set_fact:
var_password_pam_unix_remember: !!str 2
tags:
- always
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Collect the available authselect features
ansible.builtin.command:
cmd: authselect list-features minimal
register: result_authselect_available_features
changed_when: false
when:
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Enable pam_pwhistory.so using authselect feature
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific demand,
a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Ensure "with-pwhistory" feature is enabled using
authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-pwhistory
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-pwhistory")
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
- result_authselect_available_features.stdout is search("with-pwhistory")
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Enable pam_pwhistory.so in appropriate PAM files
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if authselect
is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same name
was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based on the
current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_check_cmd is success
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according to the
custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Limit Password Reuse - Include or update the PAM module line in {{ pam_file_path
}}
block:
- name: Limit Password Reuse - Check if required PAM module line is present in
{{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Limit Password Reuse - Ensure the correct control for the required PAM
module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1requisite \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Limit Password Reuse - Ensure the required PAM module line is included
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
line: password requisite pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
when:
- '"pam" in ansible_facts.packages'
- |
(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Check the presence of /etc/security/pwhistory.conf
file
ansible.builtin.stat:
path: /etc/security/pwhistory.conf
register: result_pwhistory_conf_check
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf
file
block:
- name: Limit Password Reuse - Ensure the pam_pwhistory.so remember parameter in
/etc/security/pwhistory.conf
ansible.builtin.lineinfile:
path: /etc/security/pwhistory.conf
regexp: ^\s*remember\s*=
line: remember = {{ var_password_pam_unix_remember }}
state: present
- name: Limit Password Reuse - Ensure the pam_pwhistory.so remember parameter is
removed from PAM files
block:
- name: Limit Password Reuse - Check if /etc/pam.d/common-password file is present
ansible.builtin.stat:
path: /etc/pam.d/common-password
register: result_pam_file_present
- name: Limit Password Reuse - Check the proper remediation for the system
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if authselect
is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as a
local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile as
a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same name
was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based on
the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_check_cmd is success
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom
profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according
to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Ensure the "remember" option from "pam_pwhistory.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- '"pam" in ansible_facts.packages'
- result_pwhistory_conf_check.stat.exists
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - pam_pwhistory.so parameters are configured in PAM files
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if authselect
is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same name
was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based on the
current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_check_cmd is success
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according to the
custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Limit Password Reuse - Include or update the PAM module line in {{ pam_file_path
}}
block:
- name: Limit Password Reuse - Check if required PAM module line is present in
{{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Limit Password Reuse - Ensure the correct control for the required PAM
module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1requisite \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Limit Password Reuse - Ensure the required PAM module line is included
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password requisite pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Limit Password Reuse - Check if the required PAM module option is present
in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_remember_option_present
- name: Limit Password Reuse - Ensure the "remember" PAM option for "pam_pwhistory.so"
is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_unix_remember }}
state: present
register: result_pam_remember_add
when:
- result_pam_module_remember_option_present.found == 0
- name: Limit Password Reuse - Ensure the required value for "remember" PAM option
from "pam_pwhistory.so" in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_unix_remember }} \3
register: result_pam_remember_edit
when:
- result_pam_module_remember_option_present.found > 0
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
(result_pam_remember_edit is defined and result_pam_remember_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- not result_pwhistory_conf_check.stat.exists
tags:
- CCE-85678-1
- CJIS-5.6.2.1.1
- DISA-STIG-SLES-15-020250
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_password_pam_unix_remember='2'
if [ -f /usr/bin/authselect ]; then
if authselect list-features minimal | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-pwhistory
authselect apply-changes -b
else
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "/etc/pam.d/common-password")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
else
echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/common-password"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/common-password")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/common-password"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/common-password" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/common-password"
else
echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/common-password"
fi
fi
fi
fi
PWHISTORY_CONF="/etc/security/pwhistory.conf"
if [ -f $PWHISTORY_CONF ]; then
regex="^\s*remember\s*="
line="remember = $var_password_pam_unix_remember"
if ! grep -q $regex $PWHISTORY_CONF; then
echo $line >> $PWHISTORY_CONF
else
sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF
fi
if [ -e "/etc/pam.d/common-password" ] ; then
PAM_FILE_PATH="/etc/pam.d/common-password"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "/etc/pam.d/common-password")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
fi
if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
authselect apply-changes -b
fi
else
echo "/etc/pam.d/common-password was not found" >&2
fi
else
PAM_FILE_PATH="/etc/pam.d/common-password"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "/etc/pam.d/common-password")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
fi
if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
else
echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
fi
fi
# Check the option
if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH"
else
sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
authselect apply-changes -b
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Deny For Failed Password Attempts
[ref]ruleThe SUSE Linux Enterprise 15 operating system must lock an account after - at most - 5
consecutive invalid access attempts. Rationale:By limiting the number of failed logon attempts, the risk of unauthorized
system access via user password guessing, otherwise known as brute-force
attacks, is reduced. Limits are imposed by locking the account.
To configure the operating system to lock an account after three
unsuccessful consecutive access attempts using pam_tally2.so ,
modify the content of both /etc/pam.d/login and
/etc/pam.d/common-account as follows:
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | configure |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: XCCDF Value var_password_pam_tally2 # promote to variable
set_fact:
var_password_pam_tally2: !!str 5
tags:
- always
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/login
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\sdeny\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_deny_option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "deny" PAM option for "pam_tally2.so"
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1 deny={{ var_password_pam_tally2 }}
state: present
register: result_pam_deny_add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_deny_option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the required value for "deny"
PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s+.*)(deny)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_tally2 }} \3
register: result_pam_deny_edit
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_deny_option_present.found > 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/login
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
insertafter: (fail)
line: auth required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\sonerr\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_onerr_option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "onerr" PAM option for
"pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1 onerr=fail
state: present
register: result_pam_onerr_add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_onerr_option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the required value for "onerr"
PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s+.*)(onerr)=[0-9a-zA-Z]+\s*(.*)
line: \1\2=fail \3
register: result_pam_onerr_edit
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_onerr_option_present.found > 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
in /etc/pam.d/common-account
block:
- name: Set Deny For Failed Password Attempts - Check if required PAM module line
is present in /etc/pam.d/common-account with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Deny For Failed Password Attempts - Ensure the correct control for the
required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module__option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Deny For Failed Password Attempts - Ensure the "" PAM option for "pam_tally2.so"
is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam__add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module__option_present.found == 0
tags:
- CCE-85554-4
- DISA-STIG-SLES-15-020010
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_password_pam_tally2='5'
# Use a non-number regexp to force update of the value of the deny option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
else
echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sdeny\b' "/etc/pam.d/login"; then
sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ deny='"${var_password_pam_tally2}"'/' "/etc/pam.d/login"
else
sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"deny"'=)[[:alnum:]]+\s*(.*)/\1\2'"${var_password_pam_tally2}"' \3/' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
else
LAST_MATCH_LINE=$(grep -nP "(fail)" "/etc/pam.d/login" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a auth '"required"' pam_tally2.so' "/etc/pam.d/login"
else
echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/login"
fi
fi
fi
# Check the option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sonerr\b' "/etc/pam.d/login"; then
sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ onerr='"fail"'/' "/etc/pam.d/login"
else
sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"onerr"'=)[[:alnum:]]+\s*(.*)/\1\2'"fail"' \3/' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
else
echo 'account '"required"' pam_tally2.so' >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Configure the root Account lock for Failed Password Attempts via pam_tally2
[ref]ruleThis rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_tally2.so . Rationale:By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. Identifiers:
CCE-91281-6 References:
BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.3.2 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "onerr=fail" option from "pam_tally2.so" is not present in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: (.*auth.*{{ 'required' | regex_escape() }}.*pam_tally2.so.*)\bonerr=fail\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if expected PAM module line is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Include or update the PAM module line in /etc/pam.d/login
block:
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if required PAM module line is present in /etc/pam.d/login with different
control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the correct control for the required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required PAM module line is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if the required PAM module option is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\seven_deny_root\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_even_deny_root_option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "even_deny_root" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1 even_deny_root
state: present
register: result_pam_even_deny_root_add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_even_deny_root_option_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if expected PAM module line is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Include or update the PAM module line in /etc/pam.d/common-account
block:
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if required PAM module line is present in /etc/pam.d/common-account
with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the correct control for the required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the required PAM module line is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Check if the required PAM module option is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module__option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- Ensure the "" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam__add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module__option_present.found == 0
tags:
- CCE-91281-6
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_tally2_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s.*\bonerr=fail\b' "/etc/pam.d/login"; then
sed -i -E --follow-symlinks 's/(.*auth.*'"required"'.*pam_tally2.so.*)\sonerr=fail=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
else
echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\seven_deny_root\b' "/etc/pam.d/login"; then
sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ even_deny_root/' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
else
echo 'account '"required"' pam_tally2.so' >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Lockout Time for Failed Password Attempts using pam_tally2
[ref]ruleThis rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_tally2.so . Rationale:By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. Identifiers:
CCE-91282-4 References:
BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.7, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.3.2 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_tally2_unlock_time # promote to variable
set_fact:
var_accounts_passwords_pam_tally2_unlock_time: !!str 1800
tags:
- always
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
expected PAM module line is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Include or
update the PAM module line in /etc/pam.d/login
block:
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
required PAM module line is present in /etc/pam.d/login with different control
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the correct control for the required PAM module line in /etc/pam.d/login
ansible.builtin.replace:
dest: /etc/pam.d/login
regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the required PAM module line is included in /etc/pam.d/login
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
line: auth required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
the required PAM module option is present in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\sunlock_time\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_unlock_time_option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
"unlock_time" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1 unlock_time={{var_accounts_passwords_pam_tally2_unlock_time}}
state: present
register: result_pam_unlock_time_add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_unlock_time_option_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
required value for "unlock_time" PAM option from "pam_tally2.so" in /etc/pam.d/login
ansible.builtin.lineinfile:
path: /etc/pam.d/login
backrefs: true
regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s+.*)(unlock_time)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{var_accounts_passwords_pam_tally2_unlock_time}} \3
register: result_pam_unlock_time_edit
when:
- '"pam" in ansible_facts.packages'
- result_pam_module_unlock_time_option_present.found > 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
expected PAM module line is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Include or
update the PAM module line in /etc/pam.d/common-account
block:
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
required PAM module line is present in /etc/pam.d/common-account with different
control
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the correct control for the required PAM module line in /etc/pam.d/common-account
ansible.builtin.replace:
dest: /etc/pam.d/common-account
regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
the required PAM module line is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-account
line: account required pam_tally2.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Check if
the required PAM module option is present in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module__option_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts using pam_tally2 - Ensure the
"" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-account
ansible.builtin.lineinfile:
path: /etc/pam.d/common-account
backrefs: true
regexp: ^(\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
line: \1
state: present
register: result_pam__add
when:
- '"pam" in ansible_facts.packages'
- result_pam_module__option_present.found == 0
tags:
- CCE-91282-4
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_tally2_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_accounts_passwords_pam_tally2_unlock_time='1800'
# Use a non-number regexp to force update of the value of the deny option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
else
echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/login"
fi
fi
# Check the option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sunlock_time\b' "/etc/pam.d/login"; then
sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ unlock_time='"${var_accounts_passwords_pam_tally2_unlock_time}"'/' "/etc/pam.d/login"
else
sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"unlock_time"'=)[[:alnum:]]+\s*(.*)/\1\2'"${var_accounts_passwords_pam_tally2_unlock_time}"' \3/' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
else
echo 'account '"required"' pam_tally2.so' >> "/etc/pam.d/common-account"
fi
fi
# Check the option
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Quality Requirements
[ref]groupThe default pam_pwquality PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
pam_pwquality module is the preferred way of configuring
password requirements.
The man pages pam_pwquality(8)
provide information on the capabilities and configuration of
each. |
contains 5 rules |
Set Password Quality Requirements, if using
pam_cracklib
[ref]groupThe pam_cracklib PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_cracklib to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in /etc/pam.d/system-auth :
password requisite pam_cracklib.so try_first_pass retry=3
and then alter it to read:
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth .
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.Warning:
Note that the password quality requirements are not enforced for the
root account for some reason. |
contains 5 rules |
Set Password Strength Minimum Digit Characters
[ref]ruleThe pam_cracklib module's dcredit parameter controls requirements
for usage of digits in a password. When set to a negative number, any
password will be required to contain that many digits. When set to a
positive number, pam_cracklib will grant +1 additional length credit for
each digit. Add dcredit=-1 after pam_cracklib.so to require use of
a digit in passwords. Rationale:Requiring digits makes password guessing attacks more difficult by ensuring
a larger search space. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_password_pam_dcredit # promote to variable
set_fact:
var_password_pam_dcredit: !!str -1
tags:
- always
- name: Set control_flag fact
set_fact:
control_flag: requisite
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when: '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when: control_flag|length
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "dcredit={{ var_password_pam_dcredit
}}"
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+dcredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_dcredit }}\g<2>
backrefs: true
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "dcredit" argument in "pam_cracklib.so" module
shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+dcredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "dcredit" argument to "pam_cracklib.so" module
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> dcredit={{ var_password_pam_dcredit }}\g<2>
backrefs: true
when: '"dcredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85564-3
- DISA-STIG-SLES-15-020150
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
var_password_pam_dcredit='-1'
VALUES+=("$var_password_pam_dcredit")
VALUE_NAMES+=("dcredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
fi
done
|
Set Password Strength Minimum Lowercase Characters
[ref]ruleThe pam_cracklib module's lcredit= parameter controls requirements
for usage of lowercase letters in a password. When set to a negative
number, any password will be required to contain that many lowercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a
lowercase character in passwords. Rationale:Requiring a minimum number of lowercase characters makes password guessing
attacks more difficult by ensuring a larger search space. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_password_pam_lcredit # promote to variable
set_fact:
var_password_pam_lcredit: !!str -1
tags:
- always
- name: Set control_flag fact
set_fact:
control_flag: requisite
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when: '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when: control_flag|length
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "lcredit={{ var_password_pam_lcredit
}}"
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+lcredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_lcredit }}\g<2>
backrefs: true
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "lcredit" argument in "pam_cracklib.so" module
shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+lcredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "lcredit" argument to "pam_cracklib.so" module
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> lcredit={{ var_password_pam_lcredit }}\g<2>
backrefs: true
when: '"lcredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85676-5
- DISA-STIG-SLES-15-020140
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
var_password_pam_lcredit='-1'
VALUES+=("$var_password_pam_lcredit")
VALUE_NAMES+=("lcredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
fi
done
|
Set Password Minimum Length
[ref]ruleThe pam_cracklib module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=18
to set minimum password length requirements. Rationale:Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_password_pam_minlen # promote to variable
set_fact:
var_password_pam_minlen: !!str 18
tags:
- always
- name: Set control_flag fact
set_fact:
control_flag: requisite
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when: '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when: control_flag|length
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "minlen={{ var_password_pam_minlen
}}"
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+minlen=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_minlen }}\g<2>
backrefs: true
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "minlen" argument in "pam_cracklib.so" module
shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+minlen(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "minlen" argument to "pam_cracklib.so" module
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> minlen={{ var_password_pam_minlen }}\g<2>
backrefs: true
when: '"minlen" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85573-4
- DISA-STIG-SLES-15-020260
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3.6
- cracklib_accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
var_password_pam_minlen='18'
VALUES+=("$var_password_pam_minlen")
VALUE_NAMES+=("minlen")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
fi
done
|
Set Password Strength Minimum Special Characters
[ref]ruleThe pam_cracklib module's ocredit= parameter controls requirements
for usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to contain that many special
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each special character.
Make sure the ocredit parameter for the pam_cracklib module is
set to less than or equal to -1 . For example, ocredit=-1 . Rationale:Requiring a minimum number of special characters makes password guessing
attacks more difficult by ensuring a larger search space. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_password_pam_ocredit # promote to variable
set_fact:
var_password_pam_ocredit: !!str -1
tags:
- always
- name: Set control_flag fact
set_fact:
control_flag: requisite
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when: '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when: control_flag|length
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "ocredit={{ var_password_pam_ocredit
}}"
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+ocredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_ocredit }}\g<2>
backrefs: true
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "ocredit" argument in "pam_cracklib.so" module
shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+ocredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "ocredit" argument to "pam_cracklib.so" module
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> ocredit={{ var_password_pam_ocredit }}\g<2>
backrefs: true
when: '"ocredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85574-2
- DISA-STIG-SLES-15-020270
- NIST-800-53-IA-5(a)
- NIST-800-53-IA-5(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
var_password_pam_ocredit='-1'
VALUES+=("$var_password_pam_ocredit")
VALUE_NAMES+=("ocredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
fi
done
|
Set Password Strength Minimum Uppercase Characters
[ref]ruleThe pam_cracklib module's ucredit= parameter controls requirements
for usage of uppercase letters in a password. When set to a negative
number, any password will be required to contain that many uppercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper
case character in passwords. Rationale:Requiring a minimum number of uppercase characters makes password guessing
attacks more difficult by ensuring a larger search space. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_password_pam_ucredit # promote to variable
set_fact:
var_password_pam_ucredit: !!str -1
tags:
- always
- name: Set control_flag fact
set_fact:
control_flag: requisite
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check to see if 'pam_cracklib.so' module is configured in '/etc/pam.d/common-password'
shell: |
set -o pipefail
grep -E '^\s*password\s+\S+\s+pam_cracklib.so' /etc/pam.d/common-password || true
register: check_pam_module_result
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure 'pam_cracklib.so' module in '/etc/pam.d/common-password'
lineinfile:
path: /etc/pam.d/common-password
line: password requisite pam_cracklib.so
state: present
when: '"pam_cracklib.so" not in check_pam_module_result.stdout'
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure 'pam_cracklib.so' module has conforming control flag
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+)\S+(\s+pam_cracklib.so\s+.*)
line: \g<1>requisite\g<2>
backrefs: true
when: control_flag|length
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure "pam_cracklib.so" module has argument "ucredit={{ var_password_pam_ucredit
}}"
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so(?:\s+\S+)*\s+ucredit=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_ucredit }}\g<2>
backrefs: true
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the presence of "ucredit" argument in "pam_cracklib.so" module
shell: |
set -o pipefail
grep -E '^\s*password\s+requisite\s+pam_cracklib.so.*\s+ucredit(=|\s|\s*$)' /etc/pam.d/common-password || true
register: check_pam_module_argument_result
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add "ucredit" argument to "pam_cracklib.so" module
lineinfile:
path: /etc/pam.d/common-password
regexp: ^(\s*password\s+requisite\s+pam_cracklib.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> ucredit={{ var_password_pam_ucredit }}\g<2>
backrefs: true
when: '"ucredit" not in check_pam_module_argument_result.stdout'
tags:
- CCE-85675-7
- DISA-STIG-SLES-15-020130
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(1).1(v)
- PCI-DSS-Req-8.2.3
- cracklib_accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
var_password_pam_ucredit='-1'
VALUES+=("$var_password_pam_ucredit")
VALUE_NAMES+=("ucredit")
ARGS+=("")
NEW_ARGS+=("")
for idx in "${!VALUES[@]}"
do
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_cracklib.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_cracklib.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_cracklib.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_cracklib.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
done
for idx in "${!ARGS[@]}"
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
fi
done
|
Set Password Hashing Algorithm
[ref]groupThe system's default algorithm for storing password hashes in
/etc/shadow is SHA-512. This can be configured in several
locations. |
contains 2 rules |
Set PAM''s Password Hashing Algorithm
[ref]ruleThe PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/common-password", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512 , as shown
below:
password required pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for
the new passwords will be generated using the SHA-512 algorithm. This is
the default.Rationale:Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. Identifiers:
CCE-85565-0 References:
BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SLES-15-020170, SV-234886r877397_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | configure |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/common-password
file is present
ansible.builtin.stat:
path: /etc/pam.d/common-password
register: result_pam_file_present
when: '"pam" in ansible_facts.packages'
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM's Password Hashing Algorithm - Check the proper remediation for the
system
block:
- name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited
as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/common-password
- name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect
tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile
is used if authselect is present
block:
- name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current
profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
failed_when: false
- name: Set PAM's Password Hashing Algorithm - Informative message based on the
authselect integrity check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM's Password Hashing Algorithm - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM's Password Hashing Algorithm - Define the current authselect profile
as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM's Password Hashing Algorithm - Define the new authselect custom
profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Get authselect current features
to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Check if any custom profile with
the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile
based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_check_cmd is success
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Restore the authselect features
in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited
according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- result_authselect_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Check if expected PAM module line
is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ 'required' | regex_escape() }}\s+pam_unix.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Set PAM's Password Hashing Algorithm - Include or update the PAM module
line in {{ pam_file_path }}
block:
- name: Set PAM's Password Hashing Algorithm - Check if required PAM module line
is present in {{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_unix.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set PAM's Password Hashing Algorithm - Ensure the correct control for
the required PAM module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_unix.so.*)
replace: \1required \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set PAM's Password Hashing Algorithm - Ensure the required PAM module
line is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password required pam_unix.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Set PAM's Password Hashing Algorithm - Check if the required PAM module
option is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ 'required' | regex_escape() }}\s+pam_unix.so\s*.*\ssha512\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_sha512_option_present
- name: Set PAM's Password Hashing Algorithm - Ensure the "sha512" PAM option for
"pam_unix.so" is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ 'required' | regex_escape() }}\s+pam_unix.so.*)
line: \1 sha512
state: present
register: result_pam_sha512_add
when:
- result_pam_module_sha512_option_present.found == 0
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- |-
(result_pam_sha512_add is defined and result_pam_sha512_add.changed)
or (result_pam_sha512_edit is defined and result_pam_sha512_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
tags:
- CCE-85565-0
- CJIS-5.6.2.2
- DISA-STIG-SLES-15-020170
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if [ -e "/etc/pam.d/common-password" ] ; then
PAM_FILE_PATH="/etc/pam.d/common-password"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
# If not already in use, a custom profile is created preserving the enabled features.
if [[ ! $CURRENT_PROFILE == custom/* ]]; then
ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
authselect create-profile hardening -b $CURRENT_PROFILE
CURRENT_PROFILE="custom/hardening"
authselect apply-changes -b --backup=before-hardening-custom-profile
authselect select $CURRENT_PROFILE
for feature in $ENABLED_FEATURES; do
authselect enable-feature $feature;
done
authselect apply-changes -b --backup=after-hardening-custom-profile
fi
PAM_FILE_NAME=$(basename "/etc/pam.d/common-password")
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
fi
if ! grep -qP '^\s*password\s+'"required"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"required"' \2/' "$PAM_FILE_PATH"
else
echo 'password '"required"' pam_unix.so' >> "$PAM_FILE_PATH"
fi
fi
# Check the option
if ! grep -qP '^\s*password\s+'"required"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks '/\s*password\s+'"required"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
authselect apply-changes -b
fi
else
echo "/etc/pam.d/common-password was not found" >&2
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Hashing Rounds in /etc/login.defs
[ref]ruleIn /etc/login.defs , ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000 .
For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000.Rationale:Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if
they are kept in plain text.
Using more hashing rounds makes password cracking attacks more difficult. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
replace: \g<1>5000\g<2>
backup: false
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MAX_ROUNDS
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
replace: \g<1>5000\g<2>
backup: false
tags:
- CCE-85567-6
- DISA-STIG-SLES-15-020190
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
Remediation Shell script: (show)
if [ -e "/etc/login.defs" ] ; then
LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
else
printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
return 1
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/login.defs"
cp "/etc/login.defs" "/etc/login.defs.bak"
# Insert at the end of the file
printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs"
# Clean up after ourselves.
rm "/etc/login.defs.bak"
|
Protect Accounts by Restricting Password-Based Login
[ref]groupConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd and
/etc/shadow files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary. |
contains 2 rules |
Set Password Expiration Parameters
[ref]groupThe file /etc/login.defs controls several
password-related settings. Programs such as passwd ,
su , and
login consult /etc/login.defs to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5) for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS and apply it to existing accounts with the
-M flag.
The PASS_MIN_DAYS (-m ) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE (-W ) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
$ sudo chage -M 180 -m 7 -W 7 USER |
contains 2 rules |
Set Password Maximum Age
[ref]ruleTo specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 90
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 90 .Rationale:Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise. Identifiers:
CCE-85570-0 References:
BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, 8.3.9, SRG-OS-000076-GPOS-00044, SLES-15-020220, 5.4.1.2, SV-234891r622137_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85570-0
- CJIS-5.6.2.1
- DISA-STIG-SLES-15-020220
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3.9
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
set_fact:
var_accounts_maximum_age_login_defs: !!str 90
tags:
- always
- name: Set Password Maximum Age
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MAX_DAYS
line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
when: '"shadow" in ansible_facts.packages'
tags:
- CCE-85570-0
- CJIS-5.6.2.1
- DISA-STIG-SLES-15-020220
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3.9
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow; then
var_accounts_maximum_age_login_defs='90'
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Set Password Minimum Length in login.defs
[ref]ruleTo specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 18
The DoD requirement is 15 .
The FISMA requirement is 12 .
The profile requirement is
18 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.Rationale:Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result. Identifiers:
CCE-91168-5 References:
BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000078-GPOS-00046 Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91168-5
- CJIS-5.6.2.1
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable
set_fact:
var_accounts_password_minlen_login_defs: !!str 18
tags:
- always
- name: Set Password Minimum Length in login.defs
lineinfile:
dest: /etc/login.defs
regexp: ^PASS_MIN_LEN *[0-9]*
state: present
line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}
create: true
when: '"shadow" in ansible_facts.packages'
tags:
- CCE-91168-5
- CJIS-5.6.2.1
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow; then
var_accounts_password_minlen_login_defs='18'
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
File Permissions and Masks
[ref]groupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable PART appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for PART in turn.
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for SUSE Linux Enterprise 15
installations:
$ mount -t xfs | awk '{print $3}'
For any systems that use a different
local filesystem type, modify this command as appropriate. |
contains 7 rules |
Verify Permissions on Important Files and
Directories
[ref]groupPermissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen. |
contains 7 rules |
Ensure All World-Writable Directories Are Owned by root User
[ref]ruleAll directories in local partitions which are world-writable should be owned by root.
If any world-writable directories are not owned by root, this should be investigated.
Following this, the files should be deleted or assigned to root user. Rationale:Allowing a user account to own a world-writable directory is undesirable because it allows the
owner of that directory to remove or replace any files that may be placed in the directory by
other users. Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded
(Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Find Relevant
Root Directories Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Include Relevant
Root Directories in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
Paths List with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
Paths List with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Define Rule
Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Find All Uncompliant
Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d -perm -0002 -uid +0
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Create List
of World Writable Directories Not Owned by root
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
}}'
loop: '{{ result_found_dirs.results }}'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All World-Writable Directories Are Owned by root User - Ensure root
Ownership on Local World Writable Directories
ansible.builtin.file:
path: '{{ item }}'
owner: root
loop: '{{ world_writable_dirs }}'
tags:
- CCE-91239-4
- dir_perms_world_writable_root_owned
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | medium |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
# At least under containerized env /proc can have files w/o possilibity to
# modify even as root. And touching /proc is not good idea anyways.
find / -path /proc -prune -o \
-not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \
-not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \
-not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \
-not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \
-not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
|
Verify that All World-Writable Directories Have Sticky Bits Set
[ref]ruleWhen the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the
following command:
$ sudo chmod +t DIR Rationale:Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories
supplied with the system, or those designed to be temporary file
repositories. The setting is normally reserved for directories used by the
system, by users for temporary file storage (such as /tmp ), and
for directories requiring global read/write access. Identifiers:
CCE-83282-4 References:
BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000138-GPOS-00069, SLES-15-010300, 1.1.22, SV-234828r622137_rule Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded
(Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant
Root Directories Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include
Relevant Root Directories in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule
Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All
Uncompliant Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List
of World Writable Directories Without Sticky Bit
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
}}'
loop: '{{ result_found_dirs.results }}'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky
Bit is Set on Local World Writable Directories
ansible.builtin.file:
path: '{{ item }}'
mode: a+t
loop: '{{ world_writable_dirs }}'
tags:
- CCE-83282-4
- DISA-STIG-SLES-15-010300
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Remediation Shell script: (show)
df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '$6' find '$6' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
-exec chmod a+t {} +
|
Ensure All SGID Executables Are Authorized
[ref]ruleThe SGID (set group id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files.
This configuration check considers authorized SGID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SGID file not deployed through an RPM will be flagged for further review. Rationale:Executable files with the SGID permission run with the privileges of
the owner of the file. SGID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system. Identifiers:
CCE-91175-0 References:
BP28(R37), BP28(R38), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.12 |
Ensure All SUID Executables Are Authorized
[ref]ruleThe SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SUID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
This configuration check considers authorized SUID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SUID file not deployed through an RPM will be flagged for further review. Rationale:Executable files with the SUID permission run with the privileges of
the owner of the file. SUID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system. Identifiers:
CCE-91174-3 References:
BP28(R37), BP28(R38), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.11 |
Ensure No World-Writable Files Exist
[ref]ruleIt is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user account. Finally,
this applies to real files and not virtual files that are a part of
pseudo file systems such as sysfs or procfs . Rationale:Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files. Identifiers:
CCE-91233-7 References:
BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, 6.1.8 Remediation Shell script: (show)
find / -xdev -type f -perm -002 -exec chmod o-w {} \;
|
Ensure All Files Are Owned by a Group
[ref]ruleIf any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. The following command will discover and print
any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup Warning:
This rule only considers local groups.
If you have your groups defined outside /etc/group , the rule won't consider those. Rationale:Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. Identifiers:
CCE-85658-3 References:
BP28(R55), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, 2.2.6, SRG-OS-000480-GPOS-00227, SLES-15-040410, 6.1.10, SV-235029r622137_rule |
Ensure All Files Are Owned by a User
[ref]ruleIf any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. The following command will discover and print
any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser Warning:
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwd returns a list of all users in your organization.
If using the System Security Services Daemon (SSSD), enumerate = true must be configured
in your organization's domain to return a complete list of users Warning:
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. Rationale:Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. Identifiers:
CCE-85657-5 References:
BP28(R55), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, 2.2.6, SRG-OS-000480-GPOS-00227, SLES-15-040400, 6.1.9, SV-235028r622137_rule |
Services
[ref]groupThe best protection against vulnerable software is running less software. This section describes how to review
the software which SUSE Linux Enterprise 15 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default SUSE Linux Enterprise 15 system and provides guidance about which
ones can be safely disabled.
SUSE Linux Enterprise 15 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building SUSE Linux Enterprise 15 systems, it is highly recommended to select the minimal packages and then build up
the system from there. |
contains 13 rules |
The Dynamic Host Configuration Protocol (DHCP) allows
systems to request and obtain an IP address and other configuration
parameters from a server.
This guide recommends configuring networking on clients by manually editing
the appropriate files under /etc/sysconfig . Use of DHCP can make client
systems vulnerable to compromise by rogue DHCP servers, and should be avoided
unless necessary. If using DHCP is necessary, however, there are best practices
that should be followed to minimize security risk. |
contains 1 rule |
Disable DHCP Server
[ref]groupThe DHCP server dhcpd is not installed or activated by
default. If the software was installed and activated, but the
system does not need to act as a DHCP server, it should be disabled
and removed. |
contains 1 rule |
Uninstall DHCP Server Package
[ref]ruleIf the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp-server package can be removed with the following command:
$ sudo zypper remove dhcp-server Rationale:Removing the DHCP server ensures that it cannot be easily or
accidentally reactivated and disrupt network operation. Identifiers:
CCE-85759-9 References:
BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.4, 2.2.5 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_dhcp-server
class remove_dhcp-server {
package { 'dhcp-server':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure dhcp-server is removed
package:
name: dhcp-server
state: absent
tags:
- CCE-85759-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_dhcp_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove dhcp-server
# from the system, and may remove any packages
# that depend on dhcp-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "dhcp-server"
|
Mail Server Software
[ref]groupMail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that systems are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
The alternatives program in SUSE Linux Enterprise 15 permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website,
http://www.postfix.org. |
contains 1 rule |
Uninstall Sendmail Package
[ref]ruleSendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo zypper remove sendmail Rationale:The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. Identifiers:
CCE-85761-5 References:
BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_sendmail
class remove_sendmail {
package { 'sendmail':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure sendmail is removed
package:
name: sendmail
state: absent
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85761-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sendmail_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# CAUTION: This remediation script will remove sendmail
# from the system, and may remove any packages
# that depend on sendmail. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "sendmail"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Obsolete Services
[ref]groupThis section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of SUSE Linux Enterprise 15
by default.
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as iptables to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it. |
contains 11 rules |
Xinetd
[ref]groupThe xinetd service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of SUSE Linux Enterprise 15. |
contains 1 rule |
Uninstall xinetd Package
[ref]ruleThe xinetd package can be removed with the following command:
$ sudo zypper remove xinetd Rationale:Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation. Identifiers:
CCE-91436-6 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, 2.1.1 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_xinetd
class remove_xinetd {
package { 'xinetd':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure xinetd is removed
package:
name: xinetd
state: absent
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-91436-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_xinetd_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# CAUTION: This remediation script will remove xinetd
# from the system, and may remove any packages
# that depend on xinetd. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "xinetd"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
The Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information. |
contains 2 rules |
Remove NIS Client
[ref]ruleThe Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (ypbind ) was used to bind a system to an NIS server
and receive the distributed configuration files. Rationale:The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed. Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_ypbind
class remove_ypbind {
package { 'ypbind':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure ypbind is removed
package:
name: ypbind
state: absent
tags:
- CCE-91159-4
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_ypbind_removed
- unknown_severity
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove ypbind
# from the system, and may remove any packages
# that depend on ypbind. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "ypbind"
|
Uninstall ypserv Package
[ref]ruleThe ypserv package can be removed with the following command:
$ sudo zypper remove ypserv Rationale:The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. Identifiers:
CCE-91160-2 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, 2.2.18 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_ypserv
class remove_ypserv {
package { 'ypserv':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
tags:
- CCE-91160-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_ypserv_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove ypserv
# from the system, and may remove any packages
# that depend on ypserv. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "ypserv"
|
Rlogin, Rsh, and Rexec
[ref]groupThe Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model. |
contains 2 rules |
Uninstall rsh-server Package
[ref]ruleThe rsh-server package can be removed with the following command:
$ sudo zypper remove rsh-server Rationale:The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. Identifiers:
CCE-91425-9 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000095-GPOS-00049 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_rsh-server
class remove_rsh-server {
package { 'rsh-server':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure rsh-server is removed
package:
name: rsh-server
state: absent
tags:
- CCE-91425-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_rsh-server_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove rsh-server
# from the system, and may remove any packages
# that depend on rsh-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "rsh-server"
|
Uninstall rsh Package
[ref]rule
The rsh package contains the client commands
for the rsh services Rationale:These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh ,rcp , and rlogin . Identifiers:
CCE-85760-7 References:
BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.2.4, 2.3.2 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_rsh
class remove_rsh {
package { 'rsh':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure rsh is removed
package:
name: rsh
state: absent
tags:
- CCE-85760-7
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_rsh_removed
- unknown_severity
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove rsh
# from the system, and may remove any packages
# that depend on rsh. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "rsh"
|
Chat/Messaging Services
[ref]groupThe talk software makes it possible for users to send and receive messages
across systems through a terminal session. |
contains 2 rules |
Uninstall talk-server Package
[ref]ruleThe talk-server package can be removed with the following command: $ sudo zypper remove talk-server Rationale:The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk-server package decreases the
risk of the accidental (or intentional) activation of talk services. Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_talk-server
class remove_talk-server {
package { 'talk-server':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure talk-server is removed
package:
name: talk-server
state: absent
tags:
- CCE-91433-3
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_talk-server_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove talk-server
# from the system, and may remove any packages
# that depend on talk-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "talk-server"
|
Uninstall talk Package
[ref]ruleThe talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo zypper remove talk Rationale:The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program. Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_talk
class remove_talk {
package { 'talk':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure talk is removed
package:
name: talk
state: absent
tags:
- CCE-91432-5
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_talk_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove talk
# from the system, and may remove any packages
# that depend on talk. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "talk"
|
Telnet
[ref]groupThe telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol. |
contains 2 rules |
Uninstall telnet-server Package
[ref]ruleThe telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server Rationale:It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. Identifiers:
CCE-83273-3 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, SLES-15-010180, 2.2.19, SV-234818r877396_rule Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_telnet-server
class remove_telnet-server {
package { 'telnet-server':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure telnet-server is removed
package:
name: telnet-server
state: absent
tags:
- CCE-83273-3
- DISA-STIG-SLES-15-010180
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_telnet-server_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove telnet-server
# from the system, and may remove any packages
# that depend on telnet-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "telnet-server"
|
Remove telnet Clients
[ref]ruleThe telnet client allows users to start connections to other systems via
the telnet protocol. Rationale:The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in SUSE Linux Enterprise 15. Identifiers:
CCE-91434-1 References:
BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.2.4, 2.3.4 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_telnet
class remove_telnet {
package { 'telnet':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure telnet is removed
package:
name: telnet
state: absent
tags:
- CCE-91434-1
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_telnet_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove telnet
# from the system, and may remove any packages
# that depend on telnet. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "telnet"
|
TFTP Server
[ref]groupTFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found. |
contains 2 rules |
Uninstall tftp-server Package
[ref]ruleThe tftp-server package can be removed with the following command: $ sudo zypper remove tftp-server Rationale:Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established. Identifiers:
CCE-91227-9 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000480-GPOS-00227 Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_tftp-server
class remove_tftp-server {
package { 'tftp-server':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure tftp-server is removed
package:
name: tftp-server
state: absent
tags:
- CCE-91227-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_tftp-server_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove tftp-server
# from the system, and may remove any packages
# that depend on tftp-server. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "tftp-server"
|
Remove tftp Daemon
[ref]ruleTrivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server. Rationale:It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services. Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
include remove_tftp
class remove_tftp {
package { 'tftp':
ensure => 'purged',
}
}
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
- name: Ensure tftp is removed
package:
name: tftp
state: absent
tags:
- CCE-91158-6
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_tftp_removed
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | disable |
---|
# CAUTION: This remediation script will remove tftp
# from the system, and may remove any packages
# that depend on tftp. Execute this
# remediation AFTER testing on a non-production
# system!
zypper remove -y "tftp"
|