diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a074746..e16775d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,3 +62,9 @@ jobs: jq 'del(.version, .platform.release)' zap_output.json > zap_output_jq.json jq 'del(.version, .platform.release)' ./sample_jsons/zap_mapper/zero.webappsecurity.json > zap_sample.json diff zap_sample.json zap_output_jq.json + - name: Test nessus_mapper + run: | + heimdall_tools nessus_mapper -x ./sample_jsons/nessus_mapper/sample_input_report/nessus_sample.nessus -o nessus.json + jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus_jq.json + jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus_sample_hdf.json > nessus_sample_hdf.json + diff nessus_sample_hdf.json nessus_jq.json diff --git a/lib/heimdall_tools/nessus_mapper.rb b/lib/heimdall_tools/nessus_mapper.rb index 2982a60..312b5d8 100644 --- a/lib/heimdall_tools/nessus_mapper.rb +++ b/lib/heimdall_tools/nessus_mapper.rb @@ -71,7 +71,8 @@ def extract_scaninfo info = {} info['policyName'] = policy['policyName'] - info['version'] = policy['Preferences']['ServerPreferences']['preference'].select { |x| x['name'].eql? 'sc_version' }.first['value'] + scanner_version = policy['Preferences']['ServerPreferences']['preference'].select { |x| x['name'].eql? 'sc_version' } + info['version'] = scanner_version.empty? ? NA_STRING : scanner_version.first['value'] info rescue StandardError => e raise "Invalid Nessus XML file provided Exception: #{e}" diff --git a/sample_jsons/nessus_mapper/nessus_sample_hdf.json b/sample_jsons/nessus_mapper/nessus_sample_hdf.json new file mode 100644 index 0000000..89961ed --- /dev/null +++ b/sample_jsons/nessus_mapper/nessus_sample_hdf.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.44.3.gbf97131.1.dirty.20210501.190510","target_id":"ip-10-10-23-102"},"version":"1.3.44.3.gbf97131.1.dirty.20210501.190510","statistics":{"duration":null},"profiles":[{"name":"Nessus Policy Compliance Auditing","version":"","title":"Nessus Policy Compliance Auditing","maintainer":null,"summary":"Nessus Policy Compliance Auditing","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"tags":{"nist":["CM-8","Rev_4"]},"descriptions":[],"refs":[],"source_location":{},"id":"14272","title":"Netstat Portscanner (SSH)","desc":"Plugin Family: Port scanners; Port: 6062; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"Nessus was able to run 'netstat' on the remote host to enumerate the\nopen ports.\n\nSee the section 'plugins options' about configuring this plugin.\n\nNote: This plugin will run on Windows (using netstat.exe) in the \nevent that the target being scanned is localhost.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["UM-1","Rev_4"]},"descriptions":[],"refs":[],"source_location":{},"id":"19506","title":"Nessus Scan Information","desc":"Plugin Family: Settings; Port: 0; Protocol: tcp;","impact":0.0,"code":"","results":[{"status":"failed","code_desc":"This plugin displays, for each tested host, information about the\nscan itself :\n\n - The version of the plugin set.\n - The type of scanner (Nessus or Nessus Home).\n - The version of the Nessus Engine.\n - The port scanner(s) used.\n - The port range scanned.\n - The ping round trip time \n - Whether credentialed or third-party patch management\n checks are possible.\n - Whether the display of superseded patches is enabled\n - The date of the scan.\n - The duration of the scan.\n - The number of hosts scanned in parallel.\n - The number of checks done in parallel.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":["unmapped"]},"descriptions":[],"refs":[],"source_location":{},"id":"21157","title":"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark","desc":"Plugin Family: Policy Compliance; Port: 0; Protocol: ;","impact":0.3,"code":"","results":[{"status":"passed","code_desc":"\"CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark\" : [PASSED]\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nPolicy Value:\nPASSED","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]},{"tags":{"nist":[]},"descriptions":[{"data":"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.","label":"check"}],"refs":[],"source_location":{},"id":"","title":"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab","desc":"The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.","impact":-1,"code":"","results":[{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'\nexpect: ^none$\nsystem: Linux\n\nActual Value:\nThe command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'' returned : \n\nnone","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe\" : [WARNING]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v vfat\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v vfat' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod\" : [PASSED]\n\nThe FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.\n\nRationale:\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.\n\nNOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/vfat.conf\n\ninstall vfat /bin/true\n\nRun the following command to unload the vfat module:\n\n# rmmod vfat\n\nImpact:\n\nThe FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems.\n\nFAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.6 Ensure separate partition exists for /var\" : [FAILED]\n\nThe /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.\n\nRationale:\n\nSince the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'\nexpect: on[\\s]+/var[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.7 Ensure separate partition exists for /var/tmp\" : [FAILED]\n\nThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.\n\nRationale:\n\nSince the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'\nexpect: on[\\s]+/var/tmp[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/tmp[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.11 Ensure separate partition exists for /var/log\" : [FAILED]\n\nThe /var/log directory is used by system services to store log data .\n\nRationale:\n\nThere are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'\nexpect: on[\\s]+/var/log[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.12 Ensure separate partition exists for /var/log/audit\" : [FAILED]\n\nThe auditing daemon, auditd , stores log data in the /var/log/audit directory.\n\nRationale:\n\nThere are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired.\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nNotes:\n\nWhen modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'\nexpect: on[\\s]+/var/log/audit[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/var/log/audit[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.1.13 Ensure separate partition exists for /home\" : [FAILED]\n\nThe /home directory is used to support disk storage needs of local users.\n\nRationale:\n\nIf the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .\n\nSolution:\nFor new installations, during installation create a custom partition setup and specify a separate partition for /home .\nFor systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.\n\nImpact:\n\nResizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.\n\nReferences:\n\nAJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'\nexpect: on[\\s]+/home[\\s]+\nsystem: Linux\n\nActual Value:\nThe command '/bin/mount | /bin/grep -P 'on[\\s]+/home[\\s]'' did not return any result","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*[1-9][0-9]*[\\s]+profiles[\\s]+are[\\s]+loaded\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain\" : [FAILED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+profiles[\\s]+are[\\s]+in[\\s]+complain[\\s]+mode\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined\" : [PASSED]\n\nAppArmor profiles define what resources applications are able to access.\n\nRationale:\n\nSecurity configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.\n\nSolution:\nRun the following command to set all profiles to enforce mode:\n\n# aa-enforce /etc/apparmor.d/*\n\nAny unconfined processes may need to have a profile created or activated for them and then be restarted.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2\n\nPolicy Value:\ncmd: /usr/sbin/apparmor_status\nexpect: ^[\\s]*0[\\s]+processes[\\s]+are[\\s]+unconfined\nsystem: Linux\n\nActual Value:\nThe command '/usr/sbin/apparmor_status' returned : \n\napparmor module is loaded.\n28 profiles are loaded.\n26 profiles are in enforce mode.\n /sbin/dhclient\n /snap/core/10908/usr/lib/snapd/snap-confine\n /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /snap/core/9804/usr/lib/snapd/snap-confine\n /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/bin/freshclam\n /usr/bin/lxc-start\n /usr/bin/man\n /usr/lib/NetworkManager/nm-dhcp-client.action\n /usr/lib/NetworkManager/nm-dhcp-helper\n /usr/lib/connman/scripts/dhclient-script\n /usr/lib/ipsec/charon\n /usr/lib/ipsec/stroke\n /usr/lib/snapd/snap-confine\n /usr/lib/snapd/snap-confine//mount-namespace-capture-helper\n /usr/sbin/clamd\n /usr/sbin/tcpdump\n lxc-container-default\n lxc-container-default-cgns\n lxc-container-default-with-mounting\n lxc-container-default-with-nesting\n man_filter\n man_groff\n snap-update-ns.amazon-ssm-agent\n snap-update-ns.core\n snap.core.hook.configure\n2 profiles are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent\n snap.amazon-ssm-agent.ssm-cli\n5 processes have profiles defined.\n3 processes are in enforce mode.\n /usr/bin/freshclam (1145) \n /usr/lib/ipsec/charon (1384) \n /usr/sbin/clamd (1214) \n2 processes are in complain mode.\n snap.amazon-ssm-agent.amazon-ssm-agent (1178) \n snap.amazon-ssm-agent.amazon-ssm-agent (1634) \n0 processes are unconfined but have a profile defined.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.1 Ensure DCCP is disabled - modprobe\" : [FAILED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v dccp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v dccp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.1 Ensure DCCP is disabled - lsmod\" : [PASSED]\n\nThe Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale:\n\nIf the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/dccp.conf\nand add the following line:\n\ninstall dccp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.2 Ensure SCTP is disabled - modprobe\" : [FAILED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v sctp\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v sctp' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.2 Ensure SCTP is disabled - lsmod\" : [PASSED]\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/sctp.conf\nand add the following line:\n\ninstall sctp /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.3 Ensure RDS is disabled - modprobe\" : [FAILED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v rds\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v rds' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.3 Ensure RDS is disabled - lsmod\" : [PASSED]\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/rds.conf\nand add the following line:\n\ninstall rds /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.4.4 Ensure TIPC is disabled - modprobe\" : [FAILED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/modprobe -n -v tipc\nexpect: install /bin/true\nsystem: Linux\n\nActual Value:\nThe command '/sbin/modprobe -n -v tipc' returned : \n\ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko \ninsmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"3.4.4 Ensure TIPC is disabled - lsmod\" : [PASSED]\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale:\n\nIf the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.\n\nSolution:\nEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\nExample: vi /etc/modprobe.d/tipc.conf\nand add the following line:\n\ninstall tipc /bin/true\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}'' returned : \n\npass","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"3.7 Disable IPv6\" : [FAILED]\n\nAlthough IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale:\n\nIf IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.\n\nSolution:\nEdit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:\n\nGRUB_CMDLINE_LINUX='ipv6.disable=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2\n\nPolicy Value:\nexpect: ipv6\\.disable[\\s]*=[\\s]*1\nfile: /etc/default/grub\nregex: ^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/default/grub - regex '^[\\s]*GRUB_CMDLINE_LINUX[\\s]*=[\\s]*' found - expect 'ipv6\\.disable[\\s]*=[\\s]*1' not found in the following lines:\n 11: GRUB_CMDLINE_LINUX=\"audit=1\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.1 Ensure auditd is installed\" : [FAILED]\n\nauditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to Install auditd\n\n# apt install auditd audispd-plugins\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3\n\nPolicy Value:\ncmd: /usr/bin/dpkg -s audispd-plugins 2>&1\nexpect: install[\\s]+ok[\\s]+installed\nsystem: Linux\n\nActual Value:\nThe command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : \n\ndpkg-query: package 'audispd-plugins' is not installed and no information is available\nUse dpkg --info (= dpkg-deb --info) to examine archive files,\nand dpkg --contents (= dpkg-deb --contents) to list their contents.","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.2 Ensure auditd service is enabled\" : [PASSED]\n\nEnable and start the auditd daemon to record system events.\n\nRationale:\n\nThe capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.\n\nSolution:\nRun the following command to enable auditd :\n\n# systemctl --now enable auditd\n\nNotes:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print \"disabled\" }'\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\nThe command returned : \n\nenabled","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled\" : [PASSED]\n\nConfigure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:\n\nGRUB_CMDLINE_LINUX='audit=1'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nNotes:\n\nThis recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.\n\nReplace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit=1.*[\\s]*$' found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.1.4 Ensure audit_backlog_limit is sufficient\" : [FAILED]\n\nThe backlog limit has a default setting of 64\n\nRationale:\n\nduring boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.\n\nSolution:\nEdit /etc/default/grub and add audit_backlog_limit= to GRUB_CMDLINE_LINUX:\nExample:\n\nGRUB_CMDLINE_LINUX='audit_backlog_limit=8192'\n\nRun the following command to update the grub2 configuration:\n\n# update-grub\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4\n\nPolicy Value:\nexpect: ^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$\nfile: /boot/grub/grub.cfg\nregex: ^[\\s]*linux[\\s]+\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /boot/grub/grub.cfg - regex '^[\\s]*linux[\\s]+' found - expect '^[\\s]*linux[\\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\\s]*$' not found in the following lines:\n 123: linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 141: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 158: \t linux\t/boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1\n 176: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1\n 193: \t linux\t/boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.1 Ensure audit log storage size is configured\" : [FAILED]\n\nConfigure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale:\n\nIt is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:\n\nmax_log_file = \n\nNotes:\n\nThe max_log_file parameter is measured in megabytes.\n\nOther methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file[\\s]*=' found - expect '^[\\s]*max_log_file[\\s]*=[\\s]*32[\\s]*$' not found in the following lines:\n 12: max_log_file = 8","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.2 Ensure audit logs are not automatically deleted\" : [FAILED]\n\nThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.\n\nRationale:\n\nIn high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.\n\nSolution:\nSet the following parameter in /etc/audit/auditd.conf:\n\nmax_log_file_action = keep_logs\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*max_log_file_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*max_log_file_action[\\s]*=' found - expect '^[\\s]*max_log_file_action[\\s]*=[\\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\\s]*$' not found in the following lines:\n 19: max_log_file_action = ROTATE","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f\n\nPolicy Value:\nexpect: ^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*space_left_action[\\s]*=' found - expect '^[\\s]*space_left_action[\\s]*=[\\s]*[Ee][Mm][Aa][Ii][Ll][\\s]*$' not found in the following lines:\n 21: space_left_action = SYSLOG","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'\" : [PASSED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1\n\nPolicy Value:\nexpect: ^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*action_mail_acct[\\s]*=\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*action_mail_acct[\\s]*=' found - expect '^[\\s]*action_mail_acct[\\s]*=[\\s]*root[\\s]*$' found in the following lines:\n 23: action_mail_acct = root","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'\" : [FAILED]\n\nThe auditd daemon can be configured to halt the system when the audit logs are full.\n\nRationale:\n\nIn high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.\n\nSolution:\nSet the following parameters in /etc/audit/auditd.conf:\n\nspace_left_action = email\naction_mail_acct = root\nadmin_space_left_action = halt\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S\n\nPolicy Value:\nexpect: ^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$\nfile: /etc/audit/auditd.conf\nregex: ^[\\s]*admin_space_left_action[\\s]*=\nsystem: Linux\n\nActual Value:\nNon-compliant file(s):\n /etc/audit/auditd.conf - regex '^[\\s]*admin_space_left_action[\\s]*=' found - expect '^[\\s]*admin_space_left_action[\\s]*=[\\s]*[Hh][Aa][Ll][Tt][\\s]*$' not found in the following lines:\n 25: admin_space_left_action = SUSPEND","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - /etc/localtime\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nfile: /etc/audit/audit.rules\nregex: -w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-w[\\s]+/etc/localtime[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+.*time-change\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+clock_settime[\\s]+-F[\\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*adjtimex\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)\" : [FAILED]\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/time-change.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nfile: /etc/audit/audit.rules\nregex: -a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+.*clock_settime\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/group[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/passwd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/gshadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/shadow[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/security\\/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd\" : [FAILED]\n\nRecord events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/identity.rules\nand add the following lines:\n\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/security/opasswd[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/issue\\.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/issue.net[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/hosts[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - /etc/network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl network\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/network[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+sethostname[\\s]+-S[\\s]+setdomainname[\\s]+-k[\\s]+system-locale[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)\" : [FAILED]\n\nRecord changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/system-locale.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc/apparmor.d/[\\s]+-p[\\s]+wa[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/\" : [FAILED]\n\nMonitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories.\n\nRationale:\n\nChanges to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/MAC-policy.rules\nand add the following lines:\n\n-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/etc/apparmor.d[/]?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/lastlog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/faillog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog\" : [FAILED]\n\nMonitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale:\n\nMonitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/logins.rules\nand add the following lines:\n\n-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/tallylog[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl utmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/run/utmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl wtmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/wtmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.8 Ensure session initiation information is collected - auditctl btmp\" : [FAILED]\n\nMonitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.'\n\nRationale:\n\nMonitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/session.rules\nand add the following lines:\n\n-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n\nNotes:\n\nThe last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+/var/log/btmp[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chmod[\\s]+-S[\\s]+fchmod[\\s]+-S[\\s]+fchmodat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+chown[\\s]+-S[\\s]+fchown[\\s]+-S[\\s]+fchownat[\\s]+-S[\\s]+lchown[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+perm_mod[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+setxattr[\\s]+-S[\\s]+lsetxattr[\\s]+-S[\\s]+fsetxattr[\\s]+-S[\\s]+removexattr[\\s]+-S[\\s]+lremovexattr[\\s]+-S[\\s]+fremovexattr[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)\" : [FAILED]\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\nawk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/perm_mod.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=(i386|b32)[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EACCES[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+creat[\\s]+-S[\\s]+open[\\s]+-S[\\s]+openat[\\s]+-S[\\s]+truncate[\\s]+-S[\\s]+ftruncate[\\s]+-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+access[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)\" : [FAILED]\n\nMonitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/access.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\\s]+exit=-EPERM[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.11 Ensure use of privileged commands is collected\" : [FAILED]\n\nMonitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nExecution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.\n\nSolution:\nTo remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows:\n-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events\nAll audit records should be tagged with the identifier 'privileged'.\nRun the following command replacing with a list of partitions where programs can be executed from on your system:\n\n# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print \n'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 \n-k privileged' }'\n\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/privileged.rules\nAnd add all resulting lines to the file.\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2\n\nPolicy Value:\ncmd: IFS=$''; LINES=$(find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f); for LINE in $LINES; do LINE=\"-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\"; if [ $(grep -- \"$LINE\" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo \"$LINE - not found in /etc/audit/rules.d/\"; fi; done\ndont_echo_cmd: YES\nnot_expect: not found\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n-a always,exit -F path=/opt/threatstack/sbin/tsfim\n/opt/threatstack/sbin/tsauditd\n/opt/threatstack/sbin/tsagentd\n/opt/threatstack/sbin/raudit\n/usr/lib/openssh/ssh-keysign\n/usr/lib/snapd/snap-confine\n/usr/lib/eject/dmcrypt-get-device\n/usr/lib/dbus-1.0/dbus-daemon-launch-helper\n/usr/lib/x86_64-linux-gnu/utempter/utempter\n/usr/lib/policykit-1/polkit-agent-helper-1\n/usr/bin/passwd\n/usr/bin/newgrp\n/usr/bin/pkexec\n/usr/bin/bsd-write\n/usr/bin/expiry\n/usr/bin/chage\n/usr/bin/chfn\n/usr/bin/traceroute6.iputils\n/usr/bin/crontab\n/usr/bin/at\n/usr/bin/sudo\n/usr/bin/gpasswd\n/usr/bin/ssh-agent\n/usr/bin/chsh\n/usr/bin/mlocate\n/usr/bin/wall\n/sbin/unix_chkpwd\n/sbin/pam_extrausers_chkpwd\n/bin/mount\n/bin/su\n/bin/umount\n/bin/ping\n/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 32-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - 64-bit\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+mounts[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/mounts.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n\nNotes:\n\nThis tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+mount[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 32-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - 64-bit\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+unlink[\\s]+-S[\\s]+unlinkat[\\s]+-S[\\s]+rename[\\s]+-S[\\s]+renameat[\\s]+-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=4294967295[\\s]+-k[\\s]+delete[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)\" : [FAILED]\n\nMonitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'.\n\nNote: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n# awk '/^s*UID_MIN/{print $2}' /etc/login.defs\n\nIf your systems' UID_MIN is not 1000, replace audit>=1000 with audit>= in the Audit and Remediation procedures.\n\nRationale:\n\nMonitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/audit.rules\nand add the following lines:\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/delete.rules\nand add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nNotes:\n\nAt a minimum, configure the audit system to collect file deletion events for all users and root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\\s]+auid>=1000[\\s]+-F[\\s]+auid!=-1[\\s]+-F[\\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d\" : [FAILED]\n\nMonitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'\n\nRationale:\n\nChanges in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/scope.rules\nand add the following lines:\n\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/etc\\/sudoers\\.d\\/?[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl\" : [FAILED]\n\nMonitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale:\n\nChanges in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line:\n\n-w -p wa -k actions\n\nExample: vi /etc/audit/rules.d/actions.rules\nand add the following line:\n\n-w /var/log/sudo.log -p wa -k actions\n\nNotes:\n\nThe system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root.\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/var\\/log\\/sudo\\.log[\\s]+-p[\\s]+wa[\\s]+-k[\\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/insmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+/sbin/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/rmmod[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-w[\\s]+\\/sbin\\/modprobe[\\s]+-p[\\s]+x[\\s]+-k[\\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\nexpect: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nfile: /etc/audit/audit.rules\nregex: ^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\nsystem: Linux\n\nActual Value:\nThe file \"/etc/audit/audit.rules\" does not contain \"^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+init_module[\\s]+-S[\\s]+delete_module[\\s]+-k[\\s]+modules[\\s]*$\"","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)\" : [FAILED]\n\nMonitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'.\n\nRationale:\n\nMonitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.\n\nSolution:\nFor 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nFor 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules\nExample: vi /etc/audit/rules.d/modules.rules\nand add the following lines:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n\nNotes:\n\nReloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1\n\nPolicy Value:\ncmd: /sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\nThe command '/sbin/auditctl -l | /bin/grep -P '^-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-S[\\s]+(?=.*init_module)(?=.*delete_module).*-F[\\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nfail","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"4.1.17 Ensure the audit configuration is immutable\" : [FAILED]\n\nSet system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale:\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.\n\nSolution:\nEdit or create the file /etc/audit/rules.d/99-finalize.rules and add the line\n\n-e 2\n\nat the end of the file\n\nNotes:\n\nThis setting will ensure reloading the auditd config to set active settings requires a system reboot.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\ncmd: /bin/grep -v \"^$\" /etc/audit/audit.rules | /usr/bin/tail -1\ndont_echo_cmd: YES\nexpect: ^[\\s]*-e[\\s]+2[\\s]*$\nsystem: Linux\n\nActual Value:\nThe command returned : \n\n--backlog_wait_time 0","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.6 Ensure SSH X11 forwarding is disabled\" : [PASSED]\n\nThe X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.\n\nRationale:\n\nDisable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nX11Forwarding no\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*X11Forwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*X11Forwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*X11Forwarding[\\s]' found - expect '^[\\s]*X11Forwarding[\\s]+no[\\s]*$' found in the following lines:\n 22: X11Forwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"passed","code_desc":"\"5.2.21 Ensure SSH AllowTcpForwarding is disabled\" : [PASSED]\n\nSSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines\n\nRationale:\n\nLeaving port forwarding enabled can expose the organization to security risks and back-doors.\n\nSSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network\n\nSolution:\nEdit the /etc/ssh/sshd_config file to set the parameter as follows:\n\nAllowTcpForwarding no\n\nImpact:\n\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.\n\nDefault Value:\n\nAllowTcpForwarding yes\n\nReferences:\n\nhttps://www.ssh.com/ssh/tunneling/example\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3\n\nPolicy Value:\nexpect: ^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$\nfile: /etc/ssh/sshd_config\nregex: ^[\\s]*AllowTcpForwarding[\\s]\nsystem: Linux\n\nActual Value:\nCompliant file(s):\n /etc/ssh/sshd_config - regex '^[\\s]*AllowTcpForwarding[\\s]' found - expect '^[\\s]*AllowTcpForwarding[\\s]+no[\\s]*$' found in the following lines:\n 63: AllowTcpForwarding no","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"},{"status":"failed","code_desc":"\"6.1.1 Audit system file permissions\" : [WARNING]\n\nThe Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:\n\nCode Meaning\n\nS File size differs.\n\nM File mode differs (includes permissions and file type).\n\n5 The MD5 checksum differs.\n\nD The major and minor version numbers differ on a device file.\n\nL A mismatch occurs in a link.\n\nU The file ownership differs.\n\nG The file group owner differs.\n\nT The file time (mtime) differs.\n\nThe dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to:\n\n# dpkg -S /bin/bash\n\n\n\nbash: /bin/bash\n\n\n\n\nTo verify the settings for the package that controls the /bin/bash file, run the following:\n\n# dpkg --verify bash\n\n\n\n??5?????? c /etc/bash.bashrc\n\nRationale:\n\nIt is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.\n\nNOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.\n\nSolution:\nCorrect any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.\n\nNotes:\n\nSince packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.\n\nSome of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.\n\nSee Also: https://workbench.cisecurity.org/files/2611\n\nReference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS\n\nPolicy Value:\nWARNING","run_time":0.0,"start_time":"Wed Mar 24 21:03:39 2021"}]}],"sha256":"c02d212bacc341e18d5fd92c16e71aeaf829ed6c96b66e1b5864ddf83b97670a"}]} \ No newline at end of file diff --git a/sample_jsons/nessus_mapper/sample_input_report/nessus_sample.nessus b/sample_jsons/nessus_mapper/sample_input_report/nessus_sample.nessus new file mode 100644 index 0000000..60764b3 --- /dev/null +++ b/sample_jsons/nessus_mapper/sample_input_report/nessus_sample.nessus @@ -0,0 +1,31203 @@ + + + + Policy Compliance Auditing + + + + + TARGET + 10.10.23.102,10.10.37.43,10.10.24.231 + + + plugin_set + 21157;14272;84239;34220;87413; + + + time_window_end + 1616663019 + + + time_window_start + 1616619819 + + + time_window + 43200 + + + agent_targets + [{"name":"staging","id":158025,"uuid":"b3dbc116-2659-451a-9122-c523220386ea"}] + + + tenableio.site_id + us-2a + + + tenableio.scan_nonce + 9d3608bf836add559131d7603d827387603cf02654a1f561a3da11a01dedbd8e + + + tenableio.scan_uuid + 641a5ef4-ade6-47bc-b0cd-f53c54e1ed5d + + + audit_trail + none + + + local_portscan.netstat_ssh + yes + + + local_portscan.netstat_wmi + yes + + + allow_post_scan_editing + yes + + + reverse_lookup + yes + + + visibility + private + + + staggered_start_mins + 0 + + + wizard_uuid + 523c833f-e434-a05f-5a52-0c0c2c160b7cd9c901634c382c2d + + + no_target + true + + + name + Policy Compliance Auditing + + + retry_status_codes + 400, 403, 429, 500, 501, 502, 503, 504 + + + ssl_cipher_list + strong + + + update_hostname + no + + + report_cleanup_threshold_days + 30 + + + retry_sleep_milliseconds + 1500 + + + strict_certificate_validation + no + + + throttle_scan + yes + + + agent_update_channel + ga + + + max_retries + 0 + + + listen_port + 1241 + + + process_priority + normal + + + auto_update + yes + + + max_hosts + 100 + + + max_checks + 5 + + + log_whole_attack + no + + + cgi_path + /cgi-bin:/scripts + + + port_range + default + + + optimize_test + yes + + + checks_read_timeout + 5 + + + non_simult_ports + 139, 445, 3389 + + + plugins_timeout + 320 + + + safe_checks + yes + + + auto_enable_dependencies + yes + + + silent_dependencies + yes + + + slice_network_addresses + no + + + listen_address + 0.0.0.0 + + + ssl_mode + tls_1_2 + + + reduce_connections_on_congestion + no + + + stop_scan_on_disconnect + no + + + report_crashes + yes + + + engine.max_hosts + 16 + + + engine.max_checks + 64 + + + agent_targets + [{"name":"staging","id":158025,"uuid":"b3dbc116-2659-451a-9122-c523220386ea"}] + + + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy data #1 : + Policy data #1 : + file + {"variables":{"MAX_AUDIT_LOG_FILE_SIZE":["32"]}} + {"variables":{"MAX_AUDIT_LOG_FILE_SIZE":["32"]}} + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy file #1 : + Policy file #1 : + file + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy file #2 : + Policy file #2 : + file + + + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy file #3 : + Policy file #3 : + file + + + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy file #4 : + Policy file #4 : + file + + + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[file]:Policy file #5 : + Policy file #5 : + file + + + + + Unix Compliance Checks + 21157 + Unix Compliance Checks[radio]:Docker Scan Scope : + Docker Scan Scope : + radio + all + all + + + + + + Policy Compliance + mixed + + + CISCO + disabled + + + CGI abuses : XSS + disabled + + + Service detection + disabled + + + Ubuntu Local Security Checks + disabled + + + HP-UX Local Security Checks + disabled + + + DNS + disabled + + + FTP + disabled + + + Virtuozzo Local Security Checks + disabled + + + RPC + disabled + + + Netware + disabled + + + SCADA + disabled + + + SMTP problems + disabled + + + Misc. + disabled + + + FreeBSD Local Security Checks + disabled + + + VMware ESX Local Security Checks + disabled + + + Junos Local Security Checks + disabled + + + Slackware Local Security Checks + disabled + + + Windows : User management + disabled + + + AIX Local Security Checks + disabled + + + Firewalls + disabled + + + Brute force attacks + disabled + + + Windows : Microsoft Bulletins + disabled + + + Gentoo Local Security Checks + disabled + + + Debian Local Security Checks + disabled + + + Default Unix Accounts + disabled + + + SuSE Local Security Checks + disabled + + + MacOS X Local Security Checks + disabled + + + Mandriva Local Security Checks + disabled + + + F5 Networks Local Security Checks + disabled + + + Port scanners + mixed + + + Peer-To-Peer File Sharing + disabled + + + SNMP + disabled + + + Amazon Linux Local Security Checks + disabled + + + NewStart CGSL Local Security Checks + disabled + + + Databases + disabled + + + Denial of Service + disabled + + + Solaris Local Security Checks + disabled + + + Red Hat Local Security Checks + disabled + + + Backdoors + disabled + + + Settings + mixed + + + Oracle Linux Local Security Checks + disabled + + + PhotonOS Local Security Checks + disabled + + + CGI abuses + disabled + + + Gain a shell remotely + disabled + + + Huawei Local Security Checks + disabled + + + General + disabled + + + Mobile Devices + disabled + + + Web Servers + disabled + + + Fedora Local Security Checks + disabled + + + Palo Alto Local Security Checks + disabled + + + Windows + disabled + + + Scientific Linux Local Security Checks + disabled + + + OracleVM Local Security Checks + disabled + + + CentOS Local Security Checks + disabled + + + + + 21157 + Unix Compliance Checks + Policy Compliance + enabled + + + 14272 + Netstat Portscanner (SSH) + Port scanners + enabled + + + + + + + 1616621314 + ip-10-10-23-102 + 10.10.23.102 + be0aa70f-071e-4e4b-8c58-fb72e8d182be + local + 77d3dfe254a648b394753b756e6ad55a + Wed Mar 24 21:03:39 2021 + Wed Mar 24 22:01:47 2021 + other + Policy Compliance Auditing + true + ip-10-10-23-102 + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 6062/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 22/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5432/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8126/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 4500/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8125/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 68/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 500/udp was found to be open + + + 2021/01/27 + 2005/08/26 + summary + n/a + This plugin displays, for each tested host, information about the +scan itself : + + - The version of the plugin set. + - The type of scanner (Nessus or Nessus Home). + - The version of the Nessus Engine. + - The port scanner(s) used. + - The port range scanned. + - The ping round trip time + - Whether credentialed or third-party patch management + checks are possible. + - Whether the display of superseded patches is enabled + - The date of the scan. + - The duration of the scan. + - The number of hosts scanned in parallel. + - The number of checks done in parallel. + This plugin displays information about the Nessus scan. + None + 1.99 + Information about this scan : + +Nessus version : 8.2.2 +Plugin feed version : 202103241357 +Scanner edition used : Nessus +Scan type : Unix Agent +Scan policy used : Policy Compliance Auditing +Scanner IP : 127.0.0.1 +Ping RTT : Unavailable +Thorough tests : no +Experimental tests : no +Paranoia level : 1 +Report verbosity : 1 +Safe checks : yes +Optimize the test : yes +Credentialed checks : yes (on the localhost) +Attempt Least Privilege : no +Patch management checks : None +Display superseded patches : yes (supersedence plugin did not launch) +CGI scanning : disabled +Web application tests : disabled +Max hosts : 100 +Max checks : 5 +Recv timeout : 5 +Backports : None +Allow post-scan editing: Yes +Scan Start Date : 2021/3/24 21:28 UTC +Scan duration : 18 sec + + + + "CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark" : [PASSED] + +See Also: https://workbench.cisecurity.org/files/2611 + +Policy Value: +PASSED + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4a434a6fac51bca9617d1d9cf7276e2efe5afc1a85b890f908a2326aa53881b + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark + PASSED + PASSED + https://workbench.cisecurity.org/files/2611 + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + +Actual Value: +The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1604fba75675449755beb16f0ad68142fd18767aa53eb0b79054310d61403fd7 + 1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe" : [WARNING] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v vfat' did not return any result + The command '/sbin/modprobe -n -v vfat' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 50e16f4155fa4945be02a15597a3046282783105815d9a45e62ec6ef7ad5069b + 1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + WARNING + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 76982007b1bb9bdc54d74d16d4cc1f6b819812398524502d589132bc6f0a348d + 1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.6 Ensure separate partition exists for /var" : [FAILED] + +The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b46df3c9922510e376a57510888eecd49b19836c08b3aea191b7a3bb4fe107f + 1.1.6 Ensure separate partition exists for /var + The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.7 Ensure separate partition exists for /var/tmp" : [FAILED] + +The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 416c014598552acbf45a74134514c13afd27758043e47a98e44eb9d515e652fb + 1.1.7 Ensure separate partition exists for /var/tmp + The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + $Revision: 1.480 $ + + + "1.1.11 Ensure separate partition exists for /var/log" : [FAILED] + +The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f600ba0773d6426c319aa28abaa2f97d703ab08f51407e0a794934c1b8e9d15b + 1.1.11 Ensure separate partition exists for /var/log + The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, ISO/IEC-27001|A.12.4.2, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.12 Ensure separate partition exists for /var/log/audit" : [FAILED] + +The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1084bbdd84e5e61d6aba3f0a96dc841602c2c26378cdbbd2cbe1a93fb0038d8c + 1.1.12 Ensure separate partition exists for /var/log/audit + The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + 800-171|3.3.8, 800-171|3.4.2, 800-53|AU-9, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CN-L3|8.1.10.6(d), CN-L3|8.1.3.5(c), CN-L3|8.1.4.3(c), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.2, ITSG-33|AU-9, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, QCSC-v1|13.2, QCSC-v1|8.2.1, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.13 Ensure separate partition exists for /home" : [FAILED] + +The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 600dc1ad0b30f4abdd58c26d2277f795add102c69b0837c707632730e6428ec2 + 1.1.13 Ensure separate partition exists for /home + The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0be84d79f9cf6937a0d67800e34390571a554557f5b84668874dabc7e706681 + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain" : [FAILED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1670e10d1b4c61e042ee28544faf2e957074b5c8d24c6a9924d02a52d949650a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1145) + /usr/lib/ipsec/charon (1384) + /usr/sbin/clamd (1214) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1178) + snap.amazon-ssm-agent.amazon-ssm-agent (1634) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5a0a9394aa1194432b4689b2901733d9696fb84053104c512f292930ef53572a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - modprobe" : [FAILED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e037d1730fcc5a031e6de6a0d1f75ff49783b2de6cb6018827731a84a9c97ae2 + 3.4.1 Ensure DCCP is disabled - modprobe + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - lsmod" : [PASSED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 38e554ce49d5a8e7cd9c29c4015676f0daaff030139d1d6e278d089e83f14e9c + 3.4.1 Ensure DCCP is disabled - lsmod + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - modprobe" : [FAILED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1d9c2eb6c7f711dc687ab63f8ea9aca6790f56362a092dc77656990bfec0f2a9 + 3.4.2 Ensure SCTP is disabled - modprobe + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - lsmod" : [PASSED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3328ad9e63c7fc3da06905f76d3c33e763e1fe9db4f63c4a09c8096bc0afe7d6 + 3.4.2 Ensure SCTP is disabled - lsmod + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - modprobe" : [FAILED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 99fd82e0888527989acb12eff6b6ece5bf7800172acd19f1ef243b0e03cb1f5b + 3.4.3 Ensure RDS is disabled - modprobe + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - lsmod" : [PASSED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d1a52cc395c78f5e8d7605583c4ac4d7a8e86607a8bff227041c7af748b55925 + 3.4.3 Ensure RDS is disabled - lsmod + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - modprobe" : [FAILED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3db2caeceeda7a949bd56503baa0c7fe1febfb52b271a578e55a000b0de87a36 + 3.4.4 Ensure TIPC is disabled - modprobe + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - lsmod" : [PASSED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b91d59e016faf4fa49bebb7013728be99e25efc8b40fed3656522e47b46fca39 + 3.4.4 Ensure TIPC is disabled - lsmod + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.7 Disable IPv6" : [FAILED] + +Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + +Solution: +Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2 + +Policy Value: +expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dcc9e323d3118c8552c80fa72b9ec93ea2902b582d9f906453a093d36b90f2e4 + 3.7 Disable IPv6 + Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|11, CSCv6|3, CSCv6|9.1, CSCv7|9.4, CSF|PR.DS-6, LEVEL|2NS, QCSC-v1|3.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.1.1 Ensure auditd is installed" : [FAILED] + +auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to Install auditd + +# apt install auditd audispd-plugins + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3 + +Policy Value: +cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + +Actual Value: +The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3b73e25f8f83243c98dec8a14f08e61e6cde434944acc7df9334c5c10557b7e + 4.1.1.1 Ensure auditd is installed + auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + 800-171|3.4.8, 800-53|CM-7(5), CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, CSF|PR.PT-3, ISO/IEC-27001|A.12.5.1, ISO/IEC-27001|A.12.6.2, LEVEL|2S, PCI-DSSv3.1|12.3.7, PCI-DSSv3.2|12.3.7, SWIFT-CSCv1|2.3, TBA-FIISB|44.2.2, TBA-FIISB|49.2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to Install auditd + +# apt install auditd audispd-plugins + $Revision: 1.480 $ + + + "4.1.1.2 Ensure auditd service is enabled" : [PASSED] + +Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + +Actual Value: +The command returned : + +enabled + The command returned : + +enabled + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ab5082f2a6664c330fafb8ccb5a6e113b3acedf28af7be360007128a4e2ee43c + 4.1.1.2 Ensure auditd service is enabled + Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CIP|007-6-R1, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + $Revision: 1.480 $ + + + "4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled" : [PASSED] + +Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + +Solution: +Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + beb3e9a25319309353b7d2126839697cb26ef1a207d7b42173b5a7d4768146d7 + 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled + Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + $Revision: 1.480 $ + + + "4.1.1.4 Ensure audit_backlog_limit is sufficient" : [FAILED] + +The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + +Solution: +Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0d5a1c8227f347c747dd36d194b25c1c2189dfffc21c8c9bd70fe6233ae8a37b + 4.1.1.4 Ensure audit_backlog_limit is sufficient + The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.2.1 Ensure audit log storage size is configured" : [FAILED] + +Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + +Solution: +Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2 + +Policy Value: +expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e500cc8a802bc7694994e6db78f18b034e1d28782eb4a6912325b339240c22ed + 4.1.2.1 Ensure audit log storage size is configured + Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + 800-53|AU-4, CSCv6|6.3, CSCv7|6.4, CSF|PR.DS-4, CSF|PR.PT-1, ITSG-33|AU-4, LEVEL|2S, NESA|T3.3.1, NESA|T3.6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + $Revision: 1.480 $ + + + "4.1.2.2 Ensure audit logs are not automatically deleted" : [FAILED] + +The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + +Solution: +Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e13000c5b809d2c8fc00608ff7cd19e333e485822287be53c2e4f2c542242dd + 4.1.2.2 Ensure audit logs are not automatically deleted + The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f + +Policy Value: +expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 851345a359be44bc57399f60628166b6e59dfdc9952d2be7edc6f30baf14f745 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NIAv2|GS7f + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'" : [PASSED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + +Actual Value: +Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 87a5019362188f880b12b0db9f7a6722c0d770cc81e56dc2ad0431e391a8028a + 4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S + +Policy Value: +expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2d0bf429882a38e136552f24adebfb06fbd0317cc794eed6270bd199397c7ad6 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a8b2f2261eb3b7b4d80071498b7d58f37db532a39c36d5524012ce0d209aacb7 + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7c6ebd0e63d5d58bc54bd5116879744822fde8c539fd3639d932c3d905883797 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e853acce9dc707d6b8eea4d76b70a4167adaa35cca3c51b8910ab1b72d0c0a6e + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f7bd6440f3595de3ce5858b86e3cba3b1c2c64d04a300eec8ddd29b2054a2ab + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d28681e1b34f220361864e365f3e5749befdf339d6d105df25099f689871bf09 + 4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1ad48da139aca36a97542dff2fca8abec77e14832952157e5672774aeb7c835a + 4.1.3 Ensure events that modify date and time information are collected - /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4498a5dbbb2f0d9cbbfe6506b64302bb0cb1fe2e04385a5472cba0f36dcbb82e + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4de4992a4a1671fff353d799fcde2677e169b780f53a041d5e6ca0be505c3ce3 + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e2ad8f0439fb2d4a04ac3cdf0f5db2e235296d8aef9c0fab064c32e219ebab7 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f90a0e9dce9450ed4f31eda16f406eb2471769fe1a80b1c62cbadaa34207a34d + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b31c7ecc03eec809270d0771b0c8cb5604d6f4606cd9962d50d0868b69451237 + 4.1.4 Ensure events that modify user/group information are collected - /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f992026cf97ff0cc3205f67b112e45cf7432da5e21e155ffa062907a996d07a2 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4225ffe1dc7f8b04ea520c2933cd151af3acc65e68f7b0aab904a33910728cb + 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e771db8e6788e6fdc4d3a597670422a314a7c68d376405d8ecd409a4988452fd + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ad9bbec9aefae616eaf490912d1dfc8e1174da53045878503970261b0900fcd9 + 4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9107757c81c15efbbf8a5d6c0f00878c037f79bf972e7d96ba41211f5bd3e00c + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 936f891dfe1a0d5ea0917dcf9e4c56066c9159f8662f7390b7d5d59ecb844272 + 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b6b70b67ef4e2556956c13264699d60e45aec6399aea37d149d7b2a0b33c4bf3 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2f3f4a76f9880bea92989e7caa0afd0d26c00b1e73ae19666df23e1b7c3fe57a + 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9d5d30d175370be54d1f830b7c7d3965c9c1306a0caf83044fa60f98eeb8a0a1 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0420b9df8b56be058851e1b46fd032f9bd3bde339f6b4c156a7ea324009295d4 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4c7a06c32c59688deb682e545cab38af927004d77a43e117345f666e7417c398 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4627cee557446d2e1af27364b89c81b8214345ff4cc59e2e983a5c0d559d6ec + 4.1.5 Ensure events that modify the system's network environment are collected - issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d4f8c013750a1db1505dfc0e5d8998d672c90caa1f796bf1f2468ac91ed0fb44 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b0bac992a93d7597d9b1c6c3459b8cff3e6f268ef7b8ff65df7b3a87164b5059 + 4.1.5 Ensure events that modify the system's network environment are collected - issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5c19eed8ec5c51fff27ba1718811b14292012c1ebf6c9b95315ecff1f45ec8b9 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + de728ffbc8b0efcf9e36595a1d10763638e77abd0175917dc8f1766eb865c4cb + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1780c1a10342cecf2f612ea67cf848a1bed2d0b7f96c99ce45ee8d1d676c56c0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4dd1d3e582c76c6eabd1a2c47b3089fa19de4bfabfe56c9b76c277c20df633c7 + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3e9a4f4ccf9b5f576402bbbfca100daf55f08c91c39be9397e84dde2eba4e1ec + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1e7a5952df1e4ee4a598e84fc4f102e2d5053175e70f9a7b129f1a5c2babf2b6 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 98a0ebf0015ed7c023df1b273dfeb0da2ccfd9588cd207f10c2363a30e9be3f0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6bd95d1d5d7bb72928b49fe6576b9c7dcb81435662c7afb0e280f5bd51bb1ceb + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2ddfce8b96fae8514b37579579cc75c0a5c5f6182a479944134de370fbec8fed + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6105b9523a81171ea54322d658ca1fd99a26a57eb878563ac6f6bd768a136b97 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b7ef7c8286a7e4ef03d78673eced8b82b2353009cda557ccbca8f56501148434 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 11e3dbacda852bfa703326b36102e26f28cfa54ba9a3639ceb120ad3e34acda5 + 4.1.7 Ensure login and logout events are collected - /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7ab0bd3f92d264704402b1bd7557aeb927c6ee304d2c675fa3a533d17340bab0 + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a0475517601e550f306cb5fc117f94884adc3d2d0a27bfceec74926236d07c31 + 4.1.7 Ensure login and logout events are collected - /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 897994af1adf891d3ec6320e2e2c7ce99413c1004c126251ddb453a345248d1f + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f4c95ac4492bc2fd3b42c854b99d763c1092e372cb5c3dc8e73f2f53d2f18974 + 4.1.7 Ensure login and logout events are collected - /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2a20560c097b3583fc8ae4a9f4a4f81ccd115ce1d577cacb7a3d5bce2b0bb38b + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0e32c7abaa520af57d5fcd0509af4efd600d0fe6194e88bfd070eeb0b7c32f2 + 4.1.8 Ensure session initiation information is collected - utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 334856ae21edbfc8e4ee69474e5162330346bb8eb005bf32c71230ef47e269e7 + 4.1.8 Ensure session initiation information is collected - auditctl utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5d42e9edf7128427652c2d26d8071dbe75373a4cdee761a506b1e9a4342ee0cd + 4.1.8 Ensure session initiation information is collected - wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 778fcea391b5dcbd7e4e9d94f0041c11506ff1b24e4ec11d2ea035069bc4380e + 4.1.8 Ensure session initiation information is collected - auditctl wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b94974042792bdc279a8e5a10036b5991f126f79e06946a7efaea572d31b3bf + 4.1.8 Ensure session initiation information is collected - btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ef94c6dcf22a4f89985b81b0e6a565bbbdc4d9e9f1c29468d31dc32bf24b6a1d + 4.1.8 Ensure session initiation information is collected - auditctl btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ed612d721cb76e091a63409120de4a8eb33983a648ac29cfe81e1c362ef0881d + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f3913220ffa84f56d1246020c38b12f7ca4319180661291865bd8eaf2a4282e + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b240407faf92342c6c14680877ee59d28c2ced52e61d3c1fbb39ad29b3be3527 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5433cc45f04c9d8dc054f61f8ed24e857d5ac8a2c9f389d40a50e60326c1145a + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8bace636fd3d0ee4af88ffd2071c61dc69517fa01f308d6d7aac72e8f0d828ef + 4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 62ce63cf9c422074f5f884cc643c35470363c956e7882ed2a99f6cb2cfa7d473 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0df8a92a377f538eda7d6d72950db31248cedf3888d8f7814e5cd9641421a0bc + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2cb128c8490dc349fd5f43a1e18b6fd5b909860ff92287ff0291ce89870823fd + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ff4d64871baeccb6b463a35ebd3299858b02f3396814c4cc063edcec9bb16f30 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0efe00fae162ed63d3a7a1f7d308be5bf43950104f0262044cfc67e0a405ba25 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cd8157063033a8ee2c02be626b5398d6afe880168114e845196c9f105bc8e0c6 + 4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0c37fb782e57215ee0d927c44e3ce193449ccb56b406724c084772023fdb8be3 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c43555aef0dbf51050493b49ee3f20e5ef50c2237c34dcf2d6c0603971ccc093 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b3caa9146de0f5959793e2ccad56b548524aa36c1c2601d3fa415655ccf90923 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + bf99c3878172804505f3bc5c0fd73b06da8420e24c756fb7f3f40e0141393433 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cefb7ab557baa40a03012af96f8b142c4308f9ae3dc7fb829109c856785412f1 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e4c1eedd2a3bbb88dbd046bd31d3e5476ab90c15cec8eaa13bd186d00ff57272 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2395aa07f0abf9761dd934e48a53afa6f8071b84c709dfb525ff3f9e43623ead + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 08e70e7093244321f07b8371516d57c030c72313285a69200b865f0d8eb35910 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5e0c411a1e9c2491ff606cba6d8c821e12affc82cfd65c4977376362fd8e83dd + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.11 Ensure use of privileged commands is collected" : [FAILED] + +Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + +Solution: +To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2 + +Policy Value: +cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + +Actual Value: +The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 293349b070010c7e68206a4468974e29b921c4dd13799a9fcfdf8db0e3baf248 + 4.1.11 Ensure use of privileged commands is collected + Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + 800-171|3.1.7, 800-53|AC-6(10), CSCv6|5.1, CSCv7|5.1, CSF|PR.AC-4, LEVEL|2S, QCSC-v1|5.2.2, QCSC-v1|6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 32-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 507850f012ae2f026e5da7ae28cb529fa8dc8e011c9075b8a344e04be97c136e + 4.1.12 Ensure successful file system mounts are collected - 32-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 35f9902a028545a929c9e4b2d8182848d5cf7af326e9ce8b34cdc98b8de923f1 + 4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 64-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ec348285db8173a031444fde71da70cc9af348e5d5844414723d00f5b06ac0e3 + 4.1.12 Ensure successful file system mounts are collected - 64-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4e1f48102917b94e03671569ced1ed5f2e12c75dbc073559273ebb87440f9502 + 4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 32-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4c538eb0d9adc4e1b9f3f040c5dbebf537f24581faf5d3e97c6e405773b7171 + 4.1.13 Ensure file deletion events by users are collected - 32-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 18496caba825b6b3b7aba408aa2fdd82264037b1571d232ef605c9d8cfd83682 + 4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 64-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7f02e4367d27f7b08950a84fe787f594ee41e6087a948c2e6048dce565702def + 4.1.13 Ensure file deletion events by users are collected - 64-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 29fa10a71ae56832ee59df1f6c16f0ca28c3a06b7f70ed10b38dbe8af2770969 + 4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e8fef2d63fce68b3aebdf87672f23f44b82784ec90d5cb5d7487085164337768 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6c9565caf492ae04a934479f78d8dfec3cd8319153c6414eeb016504eab9a8cc + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 17db8c79852c4ffca552336921bdb821d619b8eaa1aa78a63febe192a38fc63d + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + eb02bf62db0abc558120b5c2615efe2911761a7c01d578405de0c1ac1c05bd93 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b2803cc5e0e322fccb3bb2ca3cfea7299471320ff54cdf6d3d9f001295058e00 + 4.1.15 Ensure system administrator actions (sudolog) are collected + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 501b2b659bd8c6c0e4765b61086febd1e353604ec08dac2b9d5dd2b4066ee2f5 + 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b39bb1a24e89e67fdd9a1cc5bc903984ef011fcdcdf7aaf4aac97b6ae1cf5a56 + 4.1.16 Ensure kernel module loading and unloading is collected - insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5f5dca23dc39b8f14aec44a2569c75add61c907fb3c78d179122a5afeedfe177 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 68902d2f68c462e5f95fa1790fccfd1a3888d03b696d9da7eda317eead033d72 + 4.1.16 Ensure kernel module loading and unloading is collected - rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7275547d8a319270eb93eed611c7ac20adcd4beae74ed3fbeccee11b8e354547 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d8b698b73645dad96c72c6d08d8f28741d4e127ec85616670dbdf427facf3604 + 4.1.16 Ensure kernel module loading and unloading is collected - modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 91e5bdbac3f50f475ad5a0baa06f7dc19e805a2291d09b0860012c09cff73367 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 939c46efe9f7e1b91be256d2ec9212bf5153e5f7d865a97fe4b5e004f00e4bc7 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3d53b1ab5b465ff86cc2932355cdc38a25da88f6f1864abff3097b68246ad6a + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 394a22f398ef95a2f0d84a72ba5d8addbb93d040f41c3f3f4e466fb90737b113 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b9cb045ebb817de1c09597630d7436dfd8db88613f24cf5f90de25e345efbfe9 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.17 Ensure the audit configuration is immutable" : [FAILED] + +Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + +Solution: +Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + +Actual Value: +The command returned : + +--backlog_wait_time 0 + The command returned : + +--backlog_wait_time 0 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dd3e7f47c1e769675b99ac24944487dfa2923267866b81b24ad14f624a75dd1a + 4.1.17 Ensure the audit configuration is immutable + Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv6|3, CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + $Revision: 1.480 $ + + + "5.2.6 Ensure SSH X11 forwarding is disabled" : [PASSED] + +The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 75a649a0fc1d66f4faf0b86fab5631c2df6ad6a53d0559d9adbab8611d8e03db + 5.2.6 Ensure SSH X11 forwarding is disabled + The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CIP|007-6-R1, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|1S, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + $Revision: 1.480 $ + + + "5.2.21 Ensure SSH AllowTcpForwarding is disabled" : [PASSED] + +SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0afee2ea9d92a9032de96dac0ac4841c2165281ba053b0b0f85d437aa76fd6ac + 5.2.21 Ensure SSH AllowTcpForwarding is disabled + SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + $Revision: 1.480 $ + + + "6.1.1 Audit system file permissions" : [WARNING] + +The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + +Solution: +Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS + +Policy Value: +WARNING + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 79108ca19f615ebba631613bd4f83427f83414add433dea43fd95a2221480e3d + 6.1.1 Audit system file permissions + The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + WARNING + CSCv6|14.4, CSCv7|14.6, LEVEL|2NS + WARNING + https://workbench.cisecurity.org/files/2611 + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + $Revision: 1.480 $ + + + + + 1616621314 + ip-10-10-37-43 + 10.10.37.43 + 6098acbc-2cc3-42ef-8584-fa5bde9618bc + local + 0b5e63e1ab9b4aa89ab53c15ec8fdfe6 + Wed Mar 24 21:03:39 2021 + Wed Mar 24 22:01:50 2021 + other + Policy Compliance Auditing + true + ip-10-10-37-43 + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 6062/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 22/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5432/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8126/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 4500/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8125/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 68/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 500/udp was found to be open + + + 2021/01/27 + 2005/08/26 + summary + n/a + This plugin displays, for each tested host, information about the +scan itself : + + - The version of the plugin set. + - The type of scanner (Nessus or Nessus Home). + - The version of the Nessus Engine. + - The port scanner(s) used. + - The port range scanned. + - The ping round trip time + - Whether credentialed or third-party patch management + checks are possible. + - Whether the display of superseded patches is enabled + - The date of the scan. + - The duration of the scan. + - The number of hosts scanned in parallel. + - The number of checks done in parallel. + This plugin displays information about the Nessus scan. + None + 1.99 + Information about this scan : + +Nessus version : 8.2.2 +Plugin feed version : 202103241357 +Scanner edition used : Nessus +Scan type : Unix Agent +Scan policy used : Policy Compliance Auditing +Scanner IP : 127.0.0.1 +Ping RTT : Unavailable +Thorough tests : no +Experimental tests : no +Paranoia level : 1 +Report verbosity : 1 +Safe checks : yes +Optimize the test : yes +Credentialed checks : yes (on the localhost) +Attempt Least Privilege : no +Patch management checks : None +Display superseded patches : yes (supersedence plugin did not launch) +CGI scanning : disabled +Web application tests : disabled +Max hosts : 100 +Max checks : 5 +Recv timeout : 5 +Backports : None +Allow post-scan editing: Yes +Scan Start Date : 2021/3/24 21:28 UTC +Scan duration : 15 sec + + + + "CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark" : [PASSED] + +See Also: https://workbench.cisecurity.org/files/2611 + +Policy Value: +PASSED + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4a434a6fac51bca9617d1d9cf7276e2efe5afc1a85b890f908a2326aa53881b + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark + PASSED + PASSED + https://workbench.cisecurity.org/files/2611 + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + +Actual Value: +The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1604fba75675449755beb16f0ad68142fd18767aa53eb0b79054310d61403fd7 + 1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe" : [WARNING] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v vfat' did not return any result + The command '/sbin/modprobe -n -v vfat' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 50e16f4155fa4945be02a15597a3046282783105815d9a45e62ec6ef7ad5069b + 1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + WARNING + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 76982007b1bb9bdc54d74d16d4cc1f6b819812398524502d589132bc6f0a348d + 1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.6 Ensure separate partition exists for /var" : [FAILED] + +The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b46df3c9922510e376a57510888eecd49b19836c08b3aea191b7a3bb4fe107f + 1.1.6 Ensure separate partition exists for /var + The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.7 Ensure separate partition exists for /var/tmp" : [FAILED] + +The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 416c014598552acbf45a74134514c13afd27758043e47a98e44eb9d515e652fb + 1.1.7 Ensure separate partition exists for /var/tmp + The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + $Revision: 1.480 $ + + + "1.1.11 Ensure separate partition exists for /var/log" : [FAILED] + +The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f600ba0773d6426c319aa28abaa2f97d703ab08f51407e0a794934c1b8e9d15b + 1.1.11 Ensure separate partition exists for /var/log + The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, ISO/IEC-27001|A.12.4.2, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.12 Ensure separate partition exists for /var/log/audit" : [FAILED] + +The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1084bbdd84e5e61d6aba3f0a96dc841602c2c26378cdbbd2cbe1a93fb0038d8c + 1.1.12 Ensure separate partition exists for /var/log/audit + The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + 800-171|3.3.8, 800-171|3.4.2, 800-53|AU-9, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CN-L3|8.1.10.6(d), CN-L3|8.1.3.5(c), CN-L3|8.1.4.3(c), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.2, ITSG-33|AU-9, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, QCSC-v1|13.2, QCSC-v1|8.2.1, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.13 Ensure separate partition exists for /home" : [FAILED] + +The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 600dc1ad0b30f4abdd58c26d2277f795add102c69b0837c707632730e6428ec2 + 1.1.13 Ensure separate partition exists for /home + The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0be84d79f9cf6937a0d67800e34390571a554557f5b84668874dabc7e706681 + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain" : [FAILED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1670e10d1b4c61e042ee28544faf2e957074b5c8d24c6a9924d02a52d949650a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1244) + /usr/lib/ipsec/charon (1397) + /usr/sbin/clamd (1275) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1233) + snap.amazon-ssm-agent.amazon-ssm-agent (1657) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5a0a9394aa1194432b4689b2901733d9696fb84053104c512f292930ef53572a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - modprobe" : [FAILED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e037d1730fcc5a031e6de6a0d1f75ff49783b2de6cb6018827731a84a9c97ae2 + 3.4.1 Ensure DCCP is disabled - modprobe + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - lsmod" : [PASSED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 38e554ce49d5a8e7cd9c29c4015676f0daaff030139d1d6e278d089e83f14e9c + 3.4.1 Ensure DCCP is disabled - lsmod + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - modprobe" : [FAILED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1d9c2eb6c7f711dc687ab63f8ea9aca6790f56362a092dc77656990bfec0f2a9 + 3.4.2 Ensure SCTP is disabled - modprobe + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - lsmod" : [PASSED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3328ad9e63c7fc3da06905f76d3c33e763e1fe9db4f63c4a09c8096bc0afe7d6 + 3.4.2 Ensure SCTP is disabled - lsmod + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - modprobe" : [FAILED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 99fd82e0888527989acb12eff6b6ece5bf7800172acd19f1ef243b0e03cb1f5b + 3.4.3 Ensure RDS is disabled - modprobe + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - lsmod" : [PASSED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d1a52cc395c78f5e8d7605583c4ac4d7a8e86607a8bff227041c7af748b55925 + 3.4.3 Ensure RDS is disabled - lsmod + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - modprobe" : [FAILED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3db2caeceeda7a949bd56503baa0c7fe1febfb52b271a578e55a000b0de87a36 + 3.4.4 Ensure TIPC is disabled - modprobe + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - lsmod" : [PASSED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b91d59e016faf4fa49bebb7013728be99e25efc8b40fed3656522e47b46fca39 + 3.4.4 Ensure TIPC is disabled - lsmod + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.7 Disable IPv6" : [FAILED] + +Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + +Solution: +Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2 + +Policy Value: +expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dcc9e323d3118c8552c80fa72b9ec93ea2902b582d9f906453a093d36b90f2e4 + 3.7 Disable IPv6 + Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|11, CSCv6|3, CSCv6|9.1, CSCv7|9.4, CSF|PR.DS-6, LEVEL|2NS, QCSC-v1|3.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.1.1 Ensure auditd is installed" : [FAILED] + +auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to Install auditd + +# apt install auditd audispd-plugins + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3 + +Policy Value: +cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + +Actual Value: +The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3b73e25f8f83243c98dec8a14f08e61e6cde434944acc7df9334c5c10557b7e + 4.1.1.1 Ensure auditd is installed + auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + 800-171|3.4.8, 800-53|CM-7(5), CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, CSF|PR.PT-3, ISO/IEC-27001|A.12.5.1, ISO/IEC-27001|A.12.6.2, LEVEL|2S, PCI-DSSv3.1|12.3.7, PCI-DSSv3.2|12.3.7, SWIFT-CSCv1|2.3, TBA-FIISB|44.2.2, TBA-FIISB|49.2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to Install auditd + +# apt install auditd audispd-plugins + $Revision: 1.480 $ + + + "4.1.1.2 Ensure auditd service is enabled" : [PASSED] + +Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + +Actual Value: +The command returned : + +enabled + The command returned : + +enabled + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ab5082f2a6664c330fafb8ccb5a6e113b3acedf28af7be360007128a4e2ee43c + 4.1.1.2 Ensure auditd service is enabled + Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CIP|007-6-R1, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + $Revision: 1.480 $ + + + "4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled" : [PASSED] + +Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + +Solution: +Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + beb3e9a25319309353b7d2126839697cb26ef1a207d7b42173b5a7d4768146d7 + 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled + Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + $Revision: 1.480 $ + + + "4.1.1.4 Ensure audit_backlog_limit is sufficient" : [FAILED] + +The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + +Solution: +Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0d5a1c8227f347c747dd36d194b25c1c2189dfffc21c8c9bd70fe6233ae8a37b + 4.1.1.4 Ensure audit_backlog_limit is sufficient + The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.2.1 Ensure audit log storage size is configured" : [FAILED] + +Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + +Solution: +Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2 + +Policy Value: +expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e500cc8a802bc7694994e6db78f18b034e1d28782eb4a6912325b339240c22ed + 4.1.2.1 Ensure audit log storage size is configured + Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + 800-53|AU-4, CSCv6|6.3, CSCv7|6.4, CSF|PR.DS-4, CSF|PR.PT-1, ITSG-33|AU-4, LEVEL|2S, NESA|T3.3.1, NESA|T3.6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + $Revision: 1.480 $ + + + "4.1.2.2 Ensure audit logs are not automatically deleted" : [FAILED] + +The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + +Solution: +Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e13000c5b809d2c8fc00608ff7cd19e333e485822287be53c2e4f2c542242dd + 4.1.2.2 Ensure audit logs are not automatically deleted + The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f + +Policy Value: +expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 851345a359be44bc57399f60628166b6e59dfdc9952d2be7edc6f30baf14f745 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NIAv2|GS7f + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'" : [PASSED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + +Actual Value: +Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 87a5019362188f880b12b0db9f7a6722c0d770cc81e56dc2ad0431e391a8028a + 4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S + +Policy Value: +expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2d0bf429882a38e136552f24adebfb06fbd0317cc794eed6270bd199397c7ad6 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a8b2f2261eb3b7b4d80071498b7d58f37db532a39c36d5524012ce0d209aacb7 + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7c6ebd0e63d5d58bc54bd5116879744822fde8c539fd3639d932c3d905883797 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e853acce9dc707d6b8eea4d76b70a4167adaa35cca3c51b8910ab1b72d0c0a6e + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f7bd6440f3595de3ce5858b86e3cba3b1c2c64d04a300eec8ddd29b2054a2ab + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d28681e1b34f220361864e365f3e5749befdf339d6d105df25099f689871bf09 + 4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1ad48da139aca36a97542dff2fca8abec77e14832952157e5672774aeb7c835a + 4.1.3 Ensure events that modify date and time information are collected - /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4498a5dbbb2f0d9cbbfe6506b64302bb0cb1fe2e04385a5472cba0f36dcbb82e + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4de4992a4a1671fff353d799fcde2677e169b780f53a041d5e6ca0be505c3ce3 + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e2ad8f0439fb2d4a04ac3cdf0f5db2e235296d8aef9c0fab064c32e219ebab7 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f90a0e9dce9450ed4f31eda16f406eb2471769fe1a80b1c62cbadaa34207a34d + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b31c7ecc03eec809270d0771b0c8cb5604d6f4606cd9962d50d0868b69451237 + 4.1.4 Ensure events that modify user/group information are collected - /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f992026cf97ff0cc3205f67b112e45cf7432da5e21e155ffa062907a996d07a2 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4225ffe1dc7f8b04ea520c2933cd151af3acc65e68f7b0aab904a33910728cb + 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e771db8e6788e6fdc4d3a597670422a314a7c68d376405d8ecd409a4988452fd + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ad9bbec9aefae616eaf490912d1dfc8e1174da53045878503970261b0900fcd9 + 4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9107757c81c15efbbf8a5d6c0f00878c037f79bf972e7d96ba41211f5bd3e00c + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 936f891dfe1a0d5ea0917dcf9e4c56066c9159f8662f7390b7d5d59ecb844272 + 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b6b70b67ef4e2556956c13264699d60e45aec6399aea37d149d7b2a0b33c4bf3 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2f3f4a76f9880bea92989e7caa0afd0d26c00b1e73ae19666df23e1b7c3fe57a + 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9d5d30d175370be54d1f830b7c7d3965c9c1306a0caf83044fa60f98eeb8a0a1 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0420b9df8b56be058851e1b46fd032f9bd3bde339f6b4c156a7ea324009295d4 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4c7a06c32c59688deb682e545cab38af927004d77a43e117345f666e7417c398 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4627cee557446d2e1af27364b89c81b8214345ff4cc59e2e983a5c0d559d6ec + 4.1.5 Ensure events that modify the system's network environment are collected - issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d4f8c013750a1db1505dfc0e5d8998d672c90caa1f796bf1f2468ac91ed0fb44 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b0bac992a93d7597d9b1c6c3459b8cff3e6f268ef7b8ff65df7b3a87164b5059 + 4.1.5 Ensure events that modify the system's network environment are collected - issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5c19eed8ec5c51fff27ba1718811b14292012c1ebf6c9b95315ecff1f45ec8b9 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + de728ffbc8b0efcf9e36595a1d10763638e77abd0175917dc8f1766eb865c4cb + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1780c1a10342cecf2f612ea67cf848a1bed2d0b7f96c99ce45ee8d1d676c56c0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4dd1d3e582c76c6eabd1a2c47b3089fa19de4bfabfe56c9b76c277c20df633c7 + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3e9a4f4ccf9b5f576402bbbfca100daf55f08c91c39be9397e84dde2eba4e1ec + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1e7a5952df1e4ee4a598e84fc4f102e2d5053175e70f9a7b129f1a5c2babf2b6 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 98a0ebf0015ed7c023df1b273dfeb0da2ccfd9588cd207f10c2363a30e9be3f0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6bd95d1d5d7bb72928b49fe6576b9c7dcb81435662c7afb0e280f5bd51bb1ceb + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2ddfce8b96fae8514b37579579cc75c0a5c5f6182a479944134de370fbec8fed + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6105b9523a81171ea54322d658ca1fd99a26a57eb878563ac6f6bd768a136b97 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b7ef7c8286a7e4ef03d78673eced8b82b2353009cda557ccbca8f56501148434 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 11e3dbacda852bfa703326b36102e26f28cfa54ba9a3639ceb120ad3e34acda5 + 4.1.7 Ensure login and logout events are collected - /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7ab0bd3f92d264704402b1bd7557aeb927c6ee304d2c675fa3a533d17340bab0 + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a0475517601e550f306cb5fc117f94884adc3d2d0a27bfceec74926236d07c31 + 4.1.7 Ensure login and logout events are collected - /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 897994af1adf891d3ec6320e2e2c7ce99413c1004c126251ddb453a345248d1f + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f4c95ac4492bc2fd3b42c854b99d763c1092e372cb5c3dc8e73f2f53d2f18974 + 4.1.7 Ensure login and logout events are collected - /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2a20560c097b3583fc8ae4a9f4a4f81ccd115ce1d577cacb7a3d5bce2b0bb38b + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0e32c7abaa520af57d5fcd0509af4efd600d0fe6194e88bfd070eeb0b7c32f2 + 4.1.8 Ensure session initiation information is collected - utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 334856ae21edbfc8e4ee69474e5162330346bb8eb005bf32c71230ef47e269e7 + 4.1.8 Ensure session initiation information is collected - auditctl utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5d42e9edf7128427652c2d26d8071dbe75373a4cdee761a506b1e9a4342ee0cd + 4.1.8 Ensure session initiation information is collected - wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 778fcea391b5dcbd7e4e9d94f0041c11506ff1b24e4ec11d2ea035069bc4380e + 4.1.8 Ensure session initiation information is collected - auditctl wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b94974042792bdc279a8e5a10036b5991f126f79e06946a7efaea572d31b3bf + 4.1.8 Ensure session initiation information is collected - btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ef94c6dcf22a4f89985b81b0e6a565bbbdc4d9e9f1c29468d31dc32bf24b6a1d + 4.1.8 Ensure session initiation information is collected - auditctl btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ed612d721cb76e091a63409120de4a8eb33983a648ac29cfe81e1c362ef0881d + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f3913220ffa84f56d1246020c38b12f7ca4319180661291865bd8eaf2a4282e + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b240407faf92342c6c14680877ee59d28c2ced52e61d3c1fbb39ad29b3be3527 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5433cc45f04c9d8dc054f61f8ed24e857d5ac8a2c9f389d40a50e60326c1145a + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8bace636fd3d0ee4af88ffd2071c61dc69517fa01f308d6d7aac72e8f0d828ef + 4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 62ce63cf9c422074f5f884cc643c35470363c956e7882ed2a99f6cb2cfa7d473 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0df8a92a377f538eda7d6d72950db31248cedf3888d8f7814e5cd9641421a0bc + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2cb128c8490dc349fd5f43a1e18b6fd5b909860ff92287ff0291ce89870823fd + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ff4d64871baeccb6b463a35ebd3299858b02f3396814c4cc063edcec9bb16f30 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0efe00fae162ed63d3a7a1f7d308be5bf43950104f0262044cfc67e0a405ba25 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cd8157063033a8ee2c02be626b5398d6afe880168114e845196c9f105bc8e0c6 + 4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0c37fb782e57215ee0d927c44e3ce193449ccb56b406724c084772023fdb8be3 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c43555aef0dbf51050493b49ee3f20e5ef50c2237c34dcf2d6c0603971ccc093 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b3caa9146de0f5959793e2ccad56b548524aa36c1c2601d3fa415655ccf90923 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + bf99c3878172804505f3bc5c0fd73b06da8420e24c756fb7f3f40e0141393433 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cefb7ab557baa40a03012af96f8b142c4308f9ae3dc7fb829109c856785412f1 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e4c1eedd2a3bbb88dbd046bd31d3e5476ab90c15cec8eaa13bd186d00ff57272 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2395aa07f0abf9761dd934e48a53afa6f8071b84c709dfb525ff3f9e43623ead + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 08e70e7093244321f07b8371516d57c030c72313285a69200b865f0d8eb35910 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5e0c411a1e9c2491ff606cba6d8c821e12affc82cfd65c4977376362fd8e83dd + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.11 Ensure use of privileged commands is collected" : [FAILED] + +Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + +Solution: +To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2 + +Policy Value: +cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + +Actual Value: +The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 293349b070010c7e68206a4468974e29b921c4dd13799a9fcfdf8db0e3baf248 + 4.1.11 Ensure use of privileged commands is collected + Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + 800-171|3.1.7, 800-53|AC-6(10), CSCv6|5.1, CSCv7|5.1, CSF|PR.AC-4, LEVEL|2S, QCSC-v1|5.2.2, QCSC-v1|6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 32-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 507850f012ae2f026e5da7ae28cb529fa8dc8e011c9075b8a344e04be97c136e + 4.1.12 Ensure successful file system mounts are collected - 32-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 35f9902a028545a929c9e4b2d8182848d5cf7af326e9ce8b34cdc98b8de923f1 + 4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 64-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ec348285db8173a031444fde71da70cc9af348e5d5844414723d00f5b06ac0e3 + 4.1.12 Ensure successful file system mounts are collected - 64-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4e1f48102917b94e03671569ced1ed5f2e12c75dbc073559273ebb87440f9502 + 4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 32-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4c538eb0d9adc4e1b9f3f040c5dbebf537f24581faf5d3e97c6e405773b7171 + 4.1.13 Ensure file deletion events by users are collected - 32-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 18496caba825b6b3b7aba408aa2fdd82264037b1571d232ef605c9d8cfd83682 + 4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 64-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7f02e4367d27f7b08950a84fe787f594ee41e6087a948c2e6048dce565702def + 4.1.13 Ensure file deletion events by users are collected - 64-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 29fa10a71ae56832ee59df1f6c16f0ca28c3a06b7f70ed10b38dbe8af2770969 + 4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e8fef2d63fce68b3aebdf87672f23f44b82784ec90d5cb5d7487085164337768 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6c9565caf492ae04a934479f78d8dfec3cd8319153c6414eeb016504eab9a8cc + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 17db8c79852c4ffca552336921bdb821d619b8eaa1aa78a63febe192a38fc63d + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + eb02bf62db0abc558120b5c2615efe2911761a7c01d578405de0c1ac1c05bd93 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b2803cc5e0e322fccb3bb2ca3cfea7299471320ff54cdf6d3d9f001295058e00 + 4.1.15 Ensure system administrator actions (sudolog) are collected + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 501b2b659bd8c6c0e4765b61086febd1e353604ec08dac2b9d5dd2b4066ee2f5 + 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b39bb1a24e89e67fdd9a1cc5bc903984ef011fcdcdf7aaf4aac97b6ae1cf5a56 + 4.1.16 Ensure kernel module loading and unloading is collected - insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5f5dca23dc39b8f14aec44a2569c75add61c907fb3c78d179122a5afeedfe177 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 68902d2f68c462e5f95fa1790fccfd1a3888d03b696d9da7eda317eead033d72 + 4.1.16 Ensure kernel module loading and unloading is collected - rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7275547d8a319270eb93eed611c7ac20adcd4beae74ed3fbeccee11b8e354547 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d8b698b73645dad96c72c6d08d8f28741d4e127ec85616670dbdf427facf3604 + 4.1.16 Ensure kernel module loading and unloading is collected - modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 91e5bdbac3f50f475ad5a0baa06f7dc19e805a2291d09b0860012c09cff73367 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 939c46efe9f7e1b91be256d2ec9212bf5153e5f7d865a97fe4b5e004f00e4bc7 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3d53b1ab5b465ff86cc2932355cdc38a25da88f6f1864abff3097b68246ad6a + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 394a22f398ef95a2f0d84a72ba5d8addbb93d040f41c3f3f4e466fb90737b113 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b9cb045ebb817de1c09597630d7436dfd8db88613f24cf5f90de25e345efbfe9 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.17 Ensure the audit configuration is immutable" : [FAILED] + +Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + +Solution: +Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + +Actual Value: +The command returned : + +--backlog_wait_time 0 + The command returned : + +--backlog_wait_time 0 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dd3e7f47c1e769675b99ac24944487dfa2923267866b81b24ad14f624a75dd1a + 4.1.17 Ensure the audit configuration is immutable + Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv6|3, CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + $Revision: 1.480 $ + + + "5.2.6 Ensure SSH X11 forwarding is disabled" : [PASSED] + +The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 75a649a0fc1d66f4faf0b86fab5631c2df6ad6a53d0559d9adbab8611d8e03db + 5.2.6 Ensure SSH X11 forwarding is disabled + The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CIP|007-6-R1, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|1S, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + $Revision: 1.480 $ + + + "5.2.21 Ensure SSH AllowTcpForwarding is disabled" : [PASSED] + +SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0afee2ea9d92a9032de96dac0ac4841c2165281ba053b0b0f85d437aa76fd6ac + 5.2.21 Ensure SSH AllowTcpForwarding is disabled + SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + $Revision: 1.480 $ + + + "6.1.1 Audit system file permissions" : [WARNING] + +The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + +Solution: +Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS + +Policy Value: +WARNING + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 79108ca19f615ebba631613bd4f83427f83414add433dea43fd95a2221480e3d + 6.1.1 Audit system file permissions + The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + WARNING + CSCv6|14.4, CSCv7|14.6, LEVEL|2NS + WARNING + https://workbench.cisecurity.org/files/2611 + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + $Revision: 1.480 $ + + + + + 1616621563 + ip-10-10-24-231 + 10.10.24.231 + 314d0e25-6e0f-45db-9656-f2bb495a146b + local + efdab1555e91472fb84e04e0bff2e033 + Wed Mar 24 21:03:39 2021 + Wed Mar 24 22:05:56 2021 + other + Policy Compliance Auditing + true + ip-10-10-24-231 + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 6062/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 22/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5432/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8126/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 5001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3000/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 3001/tcp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 4500/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 8125/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 68/udp was found to be open + + + 2020/06/12 + 2004/08/15 + remote + n/a + Nessus was able to run 'netstat' on the remote host to enumerate the +open ports. + +See the section 'plugins options' about configuring this plugin. + +Note: This plugin will run on Windows (using netstat.exe) in the +event that the target being scanned is localhost. + Remote open ports can be enumerated via SSH. + https://en.wikipedia.org/wiki/Netstat + None + 1.92 + Port 500/udp was found to be open + + + 2021/01/27 + 2005/08/26 + summary + n/a + This plugin displays, for each tested host, information about the +scan itself : + + - The version of the plugin set. + - The type of scanner (Nessus or Nessus Home). + - The version of the Nessus Engine. + - The port scanner(s) used. + - The port range scanned. + - The ping round trip time + - Whether credentialed or third-party patch management + checks are possible. + - Whether the display of superseded patches is enabled + - The date of the scan. + - The duration of the scan. + - The number of hosts scanned in parallel. + - The number of checks done in parallel. + This plugin displays information about the Nessus scan. + None + 1.99 + Information about this scan : + +Nessus version : 8.2.2 +Plugin feed version : 202103241357 +Scanner edition used : Nessus +Scan type : Unix Agent +Scan policy used : Policy Compliance Auditing +Scanner IP : 127.0.0.1 +Ping RTT : Unavailable +Thorough tests : no +Experimental tests : no +Paranoia level : 1 +Report verbosity : 1 +Safe checks : yes +Optimize the test : yes +Credentialed checks : yes (on the localhost) +Attempt Least Privilege : no +Patch management checks : None +Display superseded patches : yes (supersedence plugin did not launch) +CGI scanning : disabled +Web application tests : disabled +Max hosts : 100 +Max checks : 5 +Recv timeout : 5 +Backports : None +Allow post-scan editing: Yes +Scan Start Date : 2021/3/24 21:32 UTC +Scan duration : 17 sec + + + + "CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark" : [PASSED] + +See Also: https://workbench.cisecurity.org/files/2611 + +Policy Value: +PASSED + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4a434a6fac51bca9617d1d9cf7276e2efe5afc1a85b890f908a2326aa53881b + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit from CIS Ubuntu Linux 18.04 LTS Benchmark + PASSED + PASSED + https://workbench.cisecurity.org/files/2611 + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + +Actual Value: +The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + The command '/bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}'' returned : + +none + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1604fba75675449755beb16f0ad68142fd18767aa53eb0b79054310d61403fd7 + 1.1.1.8 Ensure mounting of FAT filesystems is limited - fstab + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /bin/grep -E -i '^[^#]*svfats' /etc/fstab | /usr/bin/awk '{print} END {if (NR == 0) print "none"}' +expect: ^none$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe" : [WARNING] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v vfat' did not return any result + The command '/sbin/modprobe -n -v vfat' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 50e16f4155fa4945be02a15597a3046282783105815d9a45e62ec6ef7ad5069b + 1.1.1.8 Ensure mounting of FAT filesystems is limited - modprobe + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/modprobe -n -v vfat +expect: install /bin/true +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + WARNING + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod" : [PASSED] + +The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2NS,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 76982007b1bb9bdc54d74d16d4cc1f6b819812398524502d589132bc6f0a348d + 1.1.1.8 Ensure mounting of FAT filesystems is limited - lsmod + The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. + +Rationale: + +Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. + +NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. + cmd: /sbin/lsmod | /bin/grep vfat | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2NS, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/vfat.conf + +install vfat /bin/true + +Run the following command to unload the vfat module: + +# rmmod vfat + +Impact: + +The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. + +FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. + $Revision: 1.480 $ + + + "1.1.6 Ensure separate partition exists for /var" : [FAILED] + +The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b46df3c9922510e376a57510888eecd49b19836c08b3aea191b7a3bb4fe107f + 1.1.6 Ensure separate partition exists for /var + The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + +Rationale: + +Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var[\s]' +expect: on[\s]+/var[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.7 Ensure separate partition exists for /var/tmp" : [FAILED] + +The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 416c014598552acbf45a74134514c13afd27758043e47a98e44eb9d515e652fb + 1.1.7 Ensure separate partition exists for /var/tmp + The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. + +Rationale: + +Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/tmp[\s]' +expect: on[\s]+/var/tmp[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + $Revision: 1.480 $ + + + "1.1.11 Ensure separate partition exists for /var/log" : [FAILED] + +The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,ISO/IEC-27001|A.12.4.2,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f600ba0773d6426c319aa28abaa2f97d703ab08f51407e0a794934c1b8e9d15b + 1.1.11 Ensure separate partition exists for /var/log + The /var/log directory is used by system services to store log data . + +Rationale: + +There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log[\s]' +expect: on[\s]+/var/log[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, ISO/IEC-27001|A.12.4.2, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.12 Ensure separate partition exists for /var/log/audit" : [FAILED] + +The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.8,800-171|3.4.2,800-53|AU-9,800-53|CM-6,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.10.6(d),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|6.3,CSCv7|6.4,CSF|PR.IP-1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,ITSG-33|CM-6,LEVEL|2S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.2.1,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1084bbdd84e5e61d6aba3f0a96dc841602c2c26378cdbbd2cbe1a93fb0038d8c + 1.1.12 Ensure separate partition exists for /var/log/audit + The auditing daemon, auditd , stores log data in the /var/log/audit directory. + +Rationale: + +There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. + cmd: /bin/mount | /bin/grep -P 'on[\s]+/var/log/audit[\s]' +expect: on[\s]+/var/log/audit[\s]+ +system: Linux + 800-171|3.3.8, 800-171|3.4.2, 800-53|AU-9, 800-53|CM-6, CN-L3|7.1.2.3(d), CN-L3|7.1.3.3(f), CN-L3|8.1.10.6(d), CN-L3|8.1.3.5(c), CN-L3|8.1.4.3(c), CSCv6|6.3, CSCv7|6.4, CSF|PR.IP-1, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.2, ITSG-33|AU-9, ITSG-33|CM-6, LEVEL|2S, NESA|M5.2.3, NESA|M5.5.2, NESA|T3.2.1, NESA|T3.6.4, NESA|T8.2.9, NIAv2|SM5, NIAv2|SM6, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, QCSC-v1|13.2, QCSC-v1|8.2.1, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +Notes: + +When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + $Revision: 1.480 $ + + + "1.1.13 Ensure separate partition exists for /home" : [FAILED] + +The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + +Solution: +For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + +Actual Value: +The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + The command '/bin/mount | /bin/grep -P 'on[\s]+/home[\s]'' did not return any result + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 600dc1ad0b30f4abdd58c26d2277f795add102c69b0837c707632730e6428ec2 + 1.1.13 Ensure separate partition exists for /home + The /home directory is used to support disk storage needs of local users. + +Rationale: + +If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home . + cmd: /bin/mount | /bin/grep -P 'on[\s]+/home[\s]' +expect: on[\s]+/home[\s]+ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CSCv7|5.1, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + For new installations, during installation create a custom partition setup and specify a separate partition for /home . +For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. + +Impact: + +Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. + +References: + +AJ Lewis, 'LVM HOWTO', http://tldp.org/HOWTO/LVM-HOWTO/ + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0be84d79f9cf6937a0d67800e34390571a554557f5b84668874dabc7e706681 + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - loaded + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*[1-9][0-9]*[\s]+profiles[\s]+are[\s]+loaded +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain" : [FAILED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1670e10d1b4c61e042ee28544faf2e957074b5c8d24c6a9924d02a52d949650a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - complain + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+profiles[\s]+are[\s]+in[\s]+complain[\s]+mode +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined" : [PASSED] + +AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + +Solution: +Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.1,800-171|3.1.2,800-53|AC-3(3),CSCv6|14.4,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3(3),LEVEL|2S,NESA|T5.5.4,NESA|T7.5.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2 + +Policy Value: +cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + +Actual Value: +The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + The command '/usr/sbin/apparmor_status' returned : + +apparmor module is loaded. +28 profiles are loaded. +26 profiles are in enforce mode. + /sbin/dhclient + /snap/core/10908/usr/lib/snapd/snap-confine + /snap/core/10908/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /snap/core/9804/usr/lib/snapd/snap-confine + /snap/core/9804/usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/bin/freshclam + /usr/bin/lxc-start + /usr/bin/man + /usr/lib/NetworkManager/nm-dhcp-client.action + /usr/lib/NetworkManager/nm-dhcp-helper + /usr/lib/connman/scripts/dhclient-script + /usr/lib/ipsec/charon + /usr/lib/ipsec/stroke + /usr/lib/snapd/snap-confine + /usr/lib/snapd/snap-confine//mount-namespace-capture-helper + /usr/sbin/clamd + /usr/sbin/tcpdump + lxc-container-default + lxc-container-default-cgns + lxc-container-default-with-mounting + lxc-container-default-with-nesting + man_filter + man_groff + snap-update-ns.amazon-ssm-agent + snap-update-ns.core + snap.core.hook.configure +2 profiles are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent + snap.amazon-ssm-agent.ssm-cli +5 processes have profiles defined. +3 processes are in enforce mode. + /usr/bin/freshclam (1119) + /usr/lib/ipsec/charon (1331) + /usr/sbin/clamd (1176) +2 processes are in complain mode. + snap.amazon-ssm-agent.amazon-ssm-agent (1128) + snap.amazon-ssm-agent.amazon-ssm-agent (1560) +0 processes are unconfined but have a profile defined. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5a0a9394aa1194432b4689b2901733d9696fb84053104c512f292930ef53572a + 1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined + AppArmor profiles define what resources applications are able to access. + +Rationale: + +Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. + cmd: /usr/sbin/apparmor_status +expect: ^[\s]*0[\s]+processes[\s]+are[\s]+unconfined +system: Linux + 800-171|3.1.1, 800-171|3.1.2, 800-53|AC-3(3), CSCv6|14.4, CSCv7|14.6, CSF|PR.AC-4, CSF|PR.PT-3, ITSG-33|AC-3(3), LEVEL|2S, NESA|T5.5.4, NESA|T7.5.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|5.2.2 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to set all profiles to enforce mode: + +# aa-enforce /etc/apparmor.d/* + +Any unconfined processes may need to have a profile created or activated for them and then be restarted. + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - modprobe" : [FAILED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + The command '/sbin/modprobe -n -v dccp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/dccp/dccp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e037d1730fcc5a031e6de6a0d1f75ff49783b2de6cb6018827731a84a9c97ae2 + 3.4.1 Ensure DCCP is disabled - modprobe + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v dccp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.1 Ensure DCCP is disabled - lsmod" : [PASSED] + +The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 38e554ce49d5a8e7cd9c29c4015676f0daaff030139d1d6e278d089e83f14e9c + 3.4.1 Ensure DCCP is disabled - lsmod + The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. + +Rationale: + +If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep dccp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/dccp.conf +and add the following line: + +install dccp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - modprobe" : [FAILED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + The command '/sbin/modprobe -n -v sctp' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/sctp/sctp.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1d9c2eb6c7f711dc687ab63f8ea9aca6790f56362a092dc77656990bfec0f2a9 + 3.4.2 Ensure SCTP is disabled - modprobe + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v sctp +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.2 Ensure SCTP is disabled - lsmod" : [PASSED] + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3328ad9e63c7fc3da06905f76d3c33e763e1fe9db4f63c4a09c8096bc0afe7d6 + 3.4.2 Ensure SCTP is disabled - lsmod + The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep sctp | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/sctp.conf +and add the following line: + +install sctp /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - modprobe" : [FAILED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + The command '/sbin/modprobe -n -v rds' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/rds/rds.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 99fd82e0888527989acb12eff6b6ece5bf7800172acd19f1ef243b0e03cb1f5b + 3.4.3 Ensure RDS is disabled - modprobe + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v rds +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.3 Ensure RDS is disabled - lsmod" : [PASSED] + +The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d1a52cc395c78f5e8d7605583c4ac4d7a8e86607a8bff227041c7af748b55925 + 3.4.3 Ensure RDS is disabled - lsmod + The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep rds | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/rds.conf +and add the following line: + +install rds /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - modprobe" : [FAILED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + +Actual Value: +The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + The command '/sbin/modprobe -n -v tipc' returned : + +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv4/udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/ipv6/ip6_udp_tunnel.ko +insmod /lib/modules/4.15.0-1011-fips/kernel/net/tipc/tipc.ko + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3db2caeceeda7a949bd56503baa0c7fe1febfb52b271a578e55a000b0de87a36 + 3.4.4 Ensure TIPC is disabled - modprobe + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/modprobe -n -v tipc +expect: install /bin/true +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CIP|007-6-R1, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.4.4 Ensure TIPC is disabled - lsmod" : [PASSED] + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + +Solution: +Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|2S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + The command '/sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}'' returned : + +pass + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b91d59e016faf4fa49bebb7013728be99e25efc8b40fed3656522e47b46fca39 + 3.4.4 Ensure TIPC is disabled - lsmod + The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. + +Rationale: + +If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + cmd: /sbin/lsmod | /bin/grep tipc | /usr/bin/awk '{print} END {if (NR == 0) print "pass"; else print "fail"}' +expect: pass +system: Linux + 800-171|3.4.6, 800-171|3.4.7, 800-53|CM-7, CN-L3|7.1.3.5(c), CN-L3|7.1.3.7(d), CN-L3|8.1.4.4(b), CSCv6|9.1, CSCv7|9.2, CSF|PR.IP-1, CSF|PR.PT-3, ITSG-33|CM-7, LEVEL|2S, NIAv2|SS13b, NIAv2|SS14a, NIAv2|SS14c, NIAv2|SS15a, QCSC-v1|3.2, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/modprobe.d/ directory ending in .conf +Example: vi /etc/modprobe.d/tipc.conf +and add the following line: + +install tipc /bin/true + $Revision: 1.480 $ + + + "3.7 Disable IPv6" : [FAILED] + +Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + +Solution: +Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|11,CSCv6|3,CSCv6|9.1,CSCv7|9.4,CSF|PR.DS-6,LEVEL|2NS,QCSC-v1|3.2 + +Policy Value: +expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + Non-compliant file(s): + /etc/default/grub - regex '^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]*' found - expect 'ipv6\.disable[\s]*=[\s]*1' not found in the following lines: + 11: GRUB_CMDLINE_LINUX="audit=1" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dcc9e323d3118c8552c80fa72b9ec93ea2902b582d9f906453a093d36b90f2e4 + 3.7 Disable IPv6 + Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. + +Rationale: + +If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. + expect: ipv6\.disable[\s]*=[\s]*1 +file: /etc/default/grub +regex: ^[\s]*GRUB_CMDLINE_LINUX[\s]*=[\s]* +system: Linux + 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|11, CSCv6|3, CSCv6|9.1, CSCv7|9.4, CSF|PR.DS-6, LEVEL|2NS, QCSC-v1|3.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: + +GRUB_CMDLINE_LINUX='ipv6.disable=1' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.1.1 Ensure auditd is installed" : [FAILED] + +auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to Install auditd + +# apt install auditd audispd-plugins + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.8,800-53|CM-7(5),CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,LEVEL|2S,PCI-DSSv3.1|12.3.7,PCI-DSSv3.2|12.3.7,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3 + +Policy Value: +cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + +Actual Value: +The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + The command '/usr/bin/dpkg -s audispd-plugins 2>&1' returned : + +dpkg-query: package 'audispd-plugins' is not installed and no information is available +Use dpkg --info (= dpkg-deb --info) to examine archive files, +and dpkg --contents (= dpkg-deb --contents) to list their contents. + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3b73e25f8f83243c98dec8a14f08e61e6cde434944acc7df9334c5c10557b7e + 4.1.1.1 Ensure auditd is installed + auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /usr/bin/dpkg -s audispd-plugins 2>&1 +expect: install[\s]+ok[\s]+installed +system: Linux + 800-171|3.4.8, 800-53|CM-7(5), CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, CSF|PR.PT-3, ISO/IEC-27001|A.12.5.1, ISO/IEC-27001|A.12.6.2, LEVEL|2S, PCI-DSSv3.1|12.3.7, PCI-DSSv3.2|12.3.7, SWIFT-CSCv1|2.3, TBA-FIISB|44.2.2, TBA-FIISB|49.2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Run the following command to Install auditd + +# apt install auditd audispd-plugins + $Revision: 1.480 $ + + + "4.1.1.2 Ensure auditd service is enabled" : [PASSED] + +Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + +Solution: +Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CIP|007-6-R1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + +Actual Value: +The command returned : + +enabled + The command returned : + +enabled + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ab5082f2a6664c330fafb8ccb5a6e113b3acedf28af7be360007128a4e2ee43c + 4.1.1.2 Ensure auditd service is enabled + Enable and start the auditd daemon to record system events. + +Rationale: + +The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. + cmd: /bin/systemctl is-enabled auditd | /usr/bin/awk '{print} END {if(NR==0) print "disabled" }' +dont_echo_cmd: YES +expect: enabled +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CIP|007-6-R1, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, PCI-DSSv3.1|2.2.2, PCI-DSSv3.1|2.2.3, PCI-DSSv3.2|2.2.2, PCI-DSSv3.2|2.2.3, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Run the following command to enable auditd : + +# systemctl --now enable auditd + +Notes: + +Additional methods of enabling a service exist. Consult your distribution documentation for appropriate methods. + $Revision: 1.480 $ + + + "4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled" : [PASSED] + +Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + +Solution: +Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv6|6.2,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit=1.*[\s]*$' found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + beb3e9a25319309353b7d2126839697cb26ef1a207d7b42173b5a7d4768146d7 + 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled + Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. + +Rationale: + +Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. + expect: ^[\s]*linux[\s]+.*audit=1.*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv6|6.2, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: + +GRUB_CMDLINE_LINUX='audit=1' + +Run the following command to update the grub2 configuration: + +# update-grub + +Notes: + +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. + +Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment. + $Revision: 1.480 $ + + + "4.1.1.4 Ensure audit_backlog_limit is sufficient" : [FAILED] + +The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + +Solution: +Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-14(1),800-53|SI-7(9),CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|6.2,CSCv7|6.3,CSF|PR.DS-6,CSF|PR.PT-1,LEVEL|2S,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4 + +Policy Value: +expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + +Actual Value: +Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + Non-compliant file(s): + /boot/grub/grub.cfg - regex '^[\s]*linux[\s]+' found - expect '^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$' not found in the following lines: + 123: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 141: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 158: linux /boot/vmlinuz-4.15.0-1011-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + 176: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro audit=1 console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 fips=1 fips=1 + 193: linux /boot/vmlinuz-4.15.0-2000-aws-fips root=UUID=90e1dfca-b055-4f93-b62e-6347bcb451a7 ro recovery nomodeset dis_ucode_ldr audit=1 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0d5a1c8227f347c747dd36d194b25c1c2189dfffc21c8c9bd70fe6233ae8a37b + 4.1.1.4 Ensure audit_backlog_limit is sufficient + The backlog limit has a default setting of 64 + +Rationale: + +during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + expect: ^[\s]*linux[\s]+.*audit_backlog_limit=(819[2-9]|8[2-9][0-9]{2}|9[0-9]{3}|[1-9][0-9]{4,}).*[\s]*$ +file: /boot/grub/grub.cfg +regex: ^[\s]*linux[\s]+ +system: Linux + 800-53|AU-14(1), 800-53|SI-7(9), CN-L3|8.1.2.3, CN-L3|8.1.4.6, CSCv7|6.2, CSCv7|6.3, CSF|PR.DS-6, CSF|PR.PT-1, LEVEL|2S, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: +Example: + +GRUB_CMDLINE_LINUX='audit_backlog_limit=8192' + +Run the following command to update the grub2 configuration: + +# update-grub + $Revision: 1.480 $ + + + "4.1.2.1 Ensure audit log storage size is configured" : [FAILED] + +Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + +Solution: +Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|2S,NESA|T3.3.1,NESA|T3.6.2 + +Policy Value: +expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file[\s]*=' found - expect '^[\s]*max_log_file[\s]*=[\s]*32[\s]*$' not found in the following lines: + 12: max_log_file = 8 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e500cc8a802bc7694994e6db78f18b034e1d28782eb4a6912325b339240c22ed + 4.1.2.1 Ensure audit log storage size is configured + Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. + +Rationale: + +It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. + expect: ^[\s]*max_log_file[\s]*=[\s]*32[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file[\s]*= +system: Linux + 800-53|AU-4, CSCv6|6.3, CSCv7|6.4, CSF|PR.DS-4, CSF|PR.PT-1, ITSG-33|AU-4, LEVEL|2S, NESA|T3.3.1, NESA|T3.6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: + +max_log_file = <MB> + +Notes: + +The max_log_file parameter is measured in megabytes. + +Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + $Revision: 1.480 $ + + + "4.1.2.2 Ensure audit logs are not automatically deleted" : [FAILED] + +The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + +Solution: +Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*max_log_file_action[\s]*=' found - expect '^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$' not found in the following lines: + 19: max_log_file_action = ROTATE + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e13000c5b809d2c8fc00608ff7cd19e333e485822287be53c2e4f2c542242dd + 4.1.2.2 Ensure audit logs are not automatically deleted + The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + +Rationale: + +In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. + expect: ^[\s]*max_log_file_action[\s]*=[\s]*[Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*max_log_file_action[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameter in /etc/audit/auditd.conf: + +max_log_file_action = keep_logs + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NIAv2|GS7f + +Policy Value: +expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*space_left_action[\s]*=' found - expect '^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$' not found in the following lines: + 21: space_left_action = SYSLOG + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 851345a359be44bc57399f60628166b6e59dfdc9952d2be7edc6f30baf14f745 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*space_left_action[\s]*=[\s]*[Ee][Mm][Aa][Ii][Ll][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NIAv2|GS7f + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'" : [PASSED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.4,800-53|AU-5,CN-L3|7.1.3.3(e),CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S,NESA|T3.6.2,QCSC-v1|13.2,QCSC-v1|8.2.1 + +Policy Value: +expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + +Actual Value: +Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + Compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*action_mail_acct[\s]*=' found - expect '^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$' found in the following lines: + 23: action_mail_acct = root + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 87a5019362188f880b12b0db9f7a6722c0d770cc81e56dc2ad0431e391a8028a + 4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*action_mail_acct[\s]*=[\s]*root[\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*action_mail_acct[\s]*= +system: Linux + 800-171|3.3.4, 800-53|AU-5, CN-L3|7.1.3.3(e), CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S, NESA|T3.6.2, QCSC-v1|13.2, QCSC-v1|8.2.1 + PASSED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'" : [FAILED] + +The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + +Solution: +Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-53|AU-5,CSCv6|6.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-5,LEVEL|2S + +Policy Value: +expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + +Actual Value: +Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + Non-compliant file(s): + /etc/audit/auditd.conf - regex '^[\s]*admin_space_left_action[\s]*=' found - expect '^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$' not found in the following lines: + 25: admin_space_left_action = SUSPEND + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2d0bf429882a38e136552f24adebfb06fbd0317cc794eed6270bd199397c7ad6 + 4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt' + The auditd daemon can be configured to halt the system when the audit logs are full. + +Rationale: + +In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. + expect: ^[\s]*admin_space_left_action[\s]*=[\s]*[Hh][Aa][Ll][Tt][\s]*$ +file: /etc/audit/auditd.conf +regex: ^[\s]*admin_space_left_action[\s]*= +system: Linux + 800-53|AU-5, CSCv6|6.3, CSCv7|6.4, CSF|PR.PT-1, ITSG-33|AU-5, LEVEL|2S + FAILED + https://workbench.cisecurity.org/files/2611 + Set the following parameters in /etc/audit/auditd.conf: + +space_left_action = email +action_mail_acct = root +admin_space_left_action = halt + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a8b2f2261eb3b7b4d80071498b7d58f37db532a39c36d5524012ce0d209aacb7 + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7c6ebd0e63d5d58bc54bd5116879744822fde8c539fd3639d932c3d905883797 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e853acce9dc707d6b8eea4d76b70a4167adaa35cca3c51b8910ab1b72d0c0a6e + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f7bd6440f3595de3ce5858b86e3cba3b1c2c64d04a300eec8ddd29b2054a2ab + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d28681e1b34f220361864e365f3e5749befdf339d6d105df25099f689871bf09 + 4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - /etc/localtime" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + The file "/etc/audit/audit.rules" does not contain "-w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1ad48da139aca36a97542dff2fca8abec77e14832952157e5672774aeb7c835a + 4.1.3 Ensure events that modify date and time information are collected - /etc/localtime + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +file: /etc/audit/audit.rules +regex: -w[\s]+/etc/localtime[\s]+-p[\s]+wa[\s]+-k[\s]+.*time-change +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4498a5dbbb2f0d9cbbfe6506b64302bb0cb1fe2e04385a5472cba0f36dcbb82e + 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*adjtimex)(?=.*settimeofday).*-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4de4992a4a1671fff353d799fcde2677e169b780f53a041d5e6ca0be505c3ce3 + 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+key=time-change$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6e2ad8f0439fb2d4a04ac3cdf0f5db2e235296d8aef9c0fab064c32e219ebab7 + 4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*adjtimex +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)" : [FAILED] + +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + The file "/etc/audit/audit.rules" does not contain "-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f90a0e9dce9450ed4f31eda16f406eb2471769fe1a80b1c62cbadaa34207a34d + 4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit) + Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change' + +Rationale: + +Unexpected changes in system date and/or time could be a sign of malicious activity on the system. + expect: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +file: /etc/audit/audit.rules +regex: -a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+.*clock_settime +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/time-change.rules +and add the following lines: + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b31c7ecc03eec809270d0771b0c8cb5604d6f4606cd9962d50d0868b69451237 + 4.1.4 Ensure events that modify user/group information are collected - /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f992026cf97ff0cc3205f67b112e45cf7432da5e21e155ffa062907a996d07a2 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/group[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4225ffe1dc7f8b04ea520c2933cd151af3acc65e68f7b0aab904a33910728cb + 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e771db8e6788e6fdc4d3a597670422a314a7c68d376405d8ecd409a4988452fd + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/passwd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ad9bbec9aefae616eaf490912d1dfc8e1174da53045878503970261b0900fcd9 + 4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9107757c81c15efbbf8a5d6c0f00878c037f79bf972e7d96ba41211f5bd3e00c + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/gshadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/gshadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 936f891dfe1a0d5ea0917dcf9e4c56066c9159f8662f7390b7d5d59ecb844272 + 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b6b70b67ef4e2556956c13264699d60e45aec6399aea37d149d7b2a0b33c4bf3 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/shadow[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2f3f4a76f9880bea92989e7caa0afd0d26c00b1e73ae19666df23e1b7c3fe57a + 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + expect: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/security\/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd" : [FAILED] + +Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 9d5d30d175370be54d1f830b7c7d3965c9c1306a0caf83044fa60f98eeb8a0a1 + 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd + Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file. + +Rationale: + +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/security/opasswd[\s]+-p[\s]+wa[\s]+-k[\s]+identity$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/identity.rules +and add the following lines: + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0420b9df8b56be058851e1b46fd032f9bd3bde339f6b4c156a7ea324009295d4 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4c7a06c32c59688deb682e545cab38af927004d77a43e117345f666e7417c398 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a4627cee557446d2e1af27364b89c81b8214345ff4cc59e2e983a5c0d559d6ec + 4.1.5 Ensure events that modify the system's network environment are collected - issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d4f8c013750a1db1505dfc0e5d8998d672c90caa1f796bf1f2468ac91ed0fb44 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b0bac992a93d7597d9b1c6c3459b8cff3e6f268ef7b8ff65df7b3a87164b5059 + 4.1.5 Ensure events that modify the system's network environment are collected - issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/issue\.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5c19eed8ec5c51fff27ba1718811b14292012c1ebf6c9b95315ecff1f45ec8b9 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/issue.net[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + de728ffbc8b0efcf9e36595a1d10763638e77abd0175917dc8f1766eb865c4cb + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1780c1a10342cecf2f612ea67cf848a1bed2d0b7f96c99ce45ee8d1d676c56c0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/hosts[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - /etc/network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4dd1d3e582c76c6eabd1a2c47b3089fa19de4bfabfe56c9b76c277c20df633c7 + 4.1.5 Ensure events that modify the system's network environment are collected - /etc/network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl network" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 3e9a4f4ccf9b5f576402bbbfca100daf55f08c91c39be9397e84dde2eba4e1ec + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl network + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/network[\s]+-p[\s]+wa[\s]+-k[\s]+system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 1e7a5952df1e4ee4a598e84fc4f102e2d5053175e70f9a7b129f1a5c2babf2b6 + 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+sethostname[\s]+-S[\s]+setdomainname[\s]+-k[\s]+system-locale[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)" : [FAILED] + +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 98a0ebf0015ed7c023df1b273dfeb0da2ccfd9588cd207f10c2363a30e9be3f0 + 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit) + Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. + +Rationale: + +Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.' + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*sethostname)(?=.*setdomainname).*-F[\s]+key=system-locale$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/system-locale.rules +and add the following lines: + +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6bd95d1d5d7bb72928b49fe6576b9c7dcb81435662c7afb0e280f5bd51bb1ceb + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2ddfce8b96fae8514b37579579cc75c0a5c5f6182a479944134de370fbec8fed + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor/?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6105b9523a81171ea54322d658ca1fd99a26a57eb878563ac6f6bd768a136b97 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + expect: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc/apparmor.d/[\s]+-p[\s]+wa[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/" : [FAILED] + +Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b7ef7c8286a7e4ef03d78673eced8b82b2353009cda557ccbca8f56501148434 + 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d/ + Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. + +Rationale: + +Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/etc/apparmor.d[/]?[\s]+-p[\s]+wa[\s]+-k[\s]+MAC-policy$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/MAC-policy.rules +and add the following lines: + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 11e3dbacda852bfa703326b36102e26f28cfa54ba9a3639ceb120ad3e34acda5 + 4.1.7 Ensure login and logout events are collected - /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7ab0bd3f92d264704402b1bd7557aeb927c6ee304d2c675fa3a533d17340bab0 + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a0475517601e550f306cb5fc117f94884adc3d2d0a27bfceec74926236d07c31 + 4.1.7 Ensure login and logout events are collected - /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 897994af1adf891d3ec6320e2e2c7ce99413c1004c126251ddb453a345248d1f + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + f4c95ac4492bc2fd3b42c854b99d763c1092e372cb5c3dc8e73f2f53d2f18974 + 4.1.7 Ensure login and logout events are collected - /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + expect: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog" : [FAILED] + +Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2a20560c097b3583fc8ae4a9f4a4f81ccd115ce1d577cacb7a3d5bce2b0bb38b + 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog + Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module + +Rationale: + +Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/tallylog[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/logins.rules +and add the following lines: + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e0e32c7abaa520af57d5fcd0509af4efd600d0fe6194e88bfd070eeb0b7c32f2 + 4.1.8 Ensure session initiation information is collected - utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl utmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 334856ae21edbfc8e4ee69474e5162330346bb8eb005bf32c71230ef47e269e7 + 4.1.8 Ensure session initiation information is collected - auditctl utmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/run/utmp[\s]+-p[\s]+wa[\s]+-k[\s]+session$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5d42e9edf7128427652c2d26d8071dbe75373a4cdee761a506b1e9a4342ee0cd + 4.1.8 Ensure session initiation information is collected - wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl wtmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 778fcea391b5dcbd7e4e9d94f0041c11506ff1b24e4ec11d2ea035069bc4380e + 4.1.8 Ensure session initiation information is collected - auditctl wtmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/wtmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5b94974042792bdc279a8e5a10036b5991f126f79e06946a7efaea572d31b3bf + 4.1.8 Ensure session initiation information is collected - btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + expect: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.8 Ensure session initiation information is collected - auditctl btmp" : [FAILED] + +Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.5,CSCv7|16.11,CSCv7|16.13,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ef94c6dcf22a4f89985b81b0e6a565bbbdc4d9e9f1c29468d31dc32bf24b6a1d + 4.1.8 Ensure session initiation information is collected - auditctl btmp + Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' + +Rationale: + +Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+/var/log/btmp[\s]+-p[\s]+wa[\s]+-k[\s]+logins$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.5, CSCv7|16.11, CSCv7|16.13, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/session.rules +and add the following lines: + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +Notes: + +The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ed612d721cb76e091a63409120de4a8eb33983a648ac29cfe81e1c362ef0881d + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8f3913220ffa84f56d1246020c38b12f7ca4319180661291865bd8eaf2a4282e + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b240407faf92342c6c14680877ee59d28c2ced52e61d3c1fbb39ad29b3be3527 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5433cc45f04c9d8dc054f61f8ed24e857d5ac8a2c9f389d40a50e60326c1145a + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 8bace636fd3d0ee4af88ffd2071c61dc69517fa01f308d6d7aac72e8f0d828ef + 4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 62ce63cf9c422074f5f884cc643c35470363c956e7882ed2a99f6cb2cfa7d473 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s](?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0df8a92a377f538eda7d6d72950db31248cedf3888d8f7814e5cd9641421a0bc + 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chmod[\s]+-S[\s]+fchmod[\s]+-S[\s]+fchmodat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2cb128c8490dc349fd5f43a1e18b6fd5b909860ff92287ff0291ce89870823fd + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chmod)(?=.*fchmod)(?=.*fchmodat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ff4d64871baeccb6b463a35ebd3299858b02f3396814c4cc063edcec9bb16f30 + 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+chown[\s]+-S[\s]+fchown[\s]+-S[\s]+fchownat[\s]+-S[\s]+lchown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0efe00fae162ed63d3a7a1f7d308be5bf43950104f0262044cfc67e0a405ba25 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*chown)(?=.*fchown)(?=.*fchownat)(?=.*lchown).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cd8157063033a8ee2c02be626b5398d6afe880168114e845196c9f105bc8e0c6 + 4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+perm_mod[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+setxattr[\s]+-S[\s]+lsetxattr[\s]+-S[\s]+fsetxattr[\s]+-S[\s]+removexattr[\s]+-S[\s]+lremovexattr[\s]+-S[\s]+fremovexattr[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s] +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)" : [FAILED] + +Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3.6,CSCv7|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0c37fb782e57215ee0d927c44e3ce193449ccb56b406724c084772023fdb8be3 + 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit) + Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=perm_mod$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3.6, CSCv7|5.5, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/perm_mod.rules +and add the following lines: + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c43555aef0dbf51050493b49ee3f20e5ef50c2237c34dcf2d6c0603971ccc093 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b3caa9146de0f5959793e2ccad56b548524aa36c1c2601d3fa415655ccf90923 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + bf99c3878172804505f3bc5c0fd73b06da8420e24c756fb7f3f40e0141393433 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + cefb7ab557baa40a03012af96f8b142c4308f9ae3dc7fb829109c856785412f1 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=(i386|b32)[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e4c1eedd2a3bbb88dbd046bd31d3e5476ab90c15cec8eaa13bd186d00ff57272 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 2395aa07f0abf9761dd934e48a53afa6f8071b84c709dfb525ff3f9e43623ead + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EACCES[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 08e70e7093244321f07b8371516d57c030c72313285a69200b865f0d8eb35910 + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+creat[\s]+-S[\s]+open[\s]+-S[\s]+openat[\s]+-S[\s]+truncate[\s]+-S[\s]+ftruncate[\s]+-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+access[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)" : [FAILED] + +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|14.6,CSCv7|14.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5e0c411a1e9c2491ff606cba6d8c821e12affc82cfd65c4977376362fd8e83dd + 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit) + Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.' + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*open)(?=.*truncate)(?=.*creat)(?=.*ftruncate)(?=.*openat).*-F[\s]+exit=-EPERM[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=access$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|14.6, CSCv7|14.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/access.rules +and add the following lines: + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.11 Ensure use of privileged commands is collected" : [FAILED] + +Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + +Solution: +To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSCv7|5.1,CSF|PR.AC-4,LEVEL|2S,QCSC-v1|5.2.2,QCSC-v1|6.2 + +Policy Value: +cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + +Actual Value: +The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + The command returned : + +-a always,exit -F path=/opt/threatstack/sbin/tsfim +/opt/threatstack/sbin/tsauditd +/opt/threatstack/sbin/tsagentd +/opt/threatstack/sbin/raudit +/usr/lib/openssh/ssh-keysign +/usr/lib/snapd/snap-confine +/usr/lib/eject/dmcrypt-get-device +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/x86_64-linux-gnu/utempter/utempter +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/bin/passwd +/usr/bin/newgrp +/usr/bin/pkexec +/usr/bin/bsd-write +/usr/bin/expiry +/usr/bin/chage +/usr/bin/chfn +/usr/bin/traceroute6.iputils +/usr/bin/crontab +/usr/bin/at +/usr/bin/sudo +/usr/bin/gpasswd +/usr/bin/ssh-agent +/usr/bin/chsh +/usr/bin/mlocate +/usr/bin/wall +/sbin/unix_chkpwd +/sbin/pam_extrausers_chkpwd +/bin/mount +/bin/su +/bin/umount +/bin/ping +/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - not found in /etc/audit/rules.d/ + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 293349b070010c7e68206a4468974e29b921c4dd13799a9fcfdf8db0e3baf248 + 4.1.11 Ensure use of privileged commands is collected + Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. + cmd: IFS=$''; LINES=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f); for LINE in $LINES; do LINE="-a always,exit -F path=$LINE -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"; if [ $(grep -- "$LINE" /etc/audit/rules.d/*.rules | wc -l) -eq 0 ] ; then echo "$LINE - not found in /etc/audit/rules.d/"; fi; done +dont_echo_cmd: YES +not_expect: not found +system: Linux + 800-171|3.1.7, 800-53|AC-6(10), CSCv6|5.1, CSCv7|5.1, CSF|PR.AC-4, LEVEL|2S, QCSC-v1|5.2.2, QCSC-v1|6.2 + FAILED + https://workbench.cisecurity.org/files/2611 + To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: +-F path=' $1 ' - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events +All audit records should be tagged with the identifier 'privileged'. +Run the following command replacing with a list of partitions where programs can be executed from on your system: + +# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print +'-a always,exit -F path=' $1 ' -F perm=x -F auid>=1000 -F auid!=4294967295 +-k privileged' }' + +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/privileged.rules +And add all resulting lines to the file. + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 32-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 507850f012ae2f026e5da7ae28cb529fa8dc8e011c9075b8a344e04be97c136e + 4.1.12 Ensure successful file system mounts are collected - 32-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 35f9902a028545a929c9e4b2d8182848d5cf7af326e9ce8b34cdc98b8de923f1 + 4.1.12 Ensure successful file system mounts are collected - auditctl (32-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - 64-bit" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + ec348285db8173a031444fde71da70cc9af348e5d5844414723d00f5b06ac0e3 + 4.1.12 Ensure successful file system mounts are collected - 64-bit + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+mounts[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|13,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 4e1f48102917b94e03671569ced1ed5f2e12c75dbc073559273ebb87440f9502 + 4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit) + Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=mounts$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|13, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/mounts.rules +and add the following lines: + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +Notes: + +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 32-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + c4c538eb0d9adc4e1b9f3f040c5dbebf537f24581faf5d3e97c6e405773b7171 + 4.1.13 Ensure file deletion events by users are collected - 32-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 18496caba825b6b3b7aba408aa2fdd82264037b1571d232ef605c9d8cfd83682 + 4.1.13 Ensure file deletion events by users are collected - auditctl (32-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - 64-bit" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7f02e4367d27f7b08950a84fe787f594ee41e6087a948c2e6048dce565702def + 4.1.13 Ensure file deletion events by users are collected - 64-bit + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+unlink[\s]+-S[\s]+unlinkat[\s]+-S[\s]+rename[\s]+-S[\s]+renameat[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+-k[\s]+delete[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)" : [FAILED] + +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|13,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 29fa10a71ae56832ee59df1f6c16f0ca28c3a06b7f70ed10b38dbe8af2770969 + 4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit) + Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier 'delete'. + +Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: + +# awk '/^s*UID_MIN/{print $2}' /etc/login.defs + +If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. + +Rationale: + +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat).*-F[\s]+auid>=1000[\s]+-F[\s]+auid!=-1[\s]+-F[\s]+key=delete$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv7|13, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/audit.rules +and add the following lines: + +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/delete.rules +and add the following lines: + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +Notes: + +At a minimum, configure the audit system to collect file deletion events for all users and root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + e8fef2d63fce68b3aebdf87672f23f44b82784ec90d5cb5d7487085164337768 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 6c9565caf492ae04a934479f78d8dfec3cd8319153c6414eeb016504eab9a8cc + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 17db8c79852c4ffca552336921bdb821d619b8eaa1aa78a63febe192a38fc63d + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + expect: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d" : [FAILED] + +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.4,CSCv7|4.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + eb02bf62db0abc558120b5c2615efe2911761a7c01d578405de0c1ac1c05bd93 + 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d + Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.' + +Rationale: + +Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/etc\/sudoers\.d\/?[\s]+-p[\s]+wa[\s]+-k[\s]+scope$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.4, CSCv7|4.8, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/scope.rules +and add the following lines: + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b2803cc5e0e322fccb3bb2ca3cfea7299471320ff54cdf6d3d9f001295058e00 + 4.1.15 Ensure system administrator actions (sudolog) are collected + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + expect: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl" : [FAILED] + +Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + +Solution: +Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|5.1,CSCv7|4.9,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 501b2b659bd8c6c0e4765b61086febd1e353604ec08dac2b9d5dd2b4066ee2f5 + 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl + Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. + +Rationale: + +Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/var\/log\/sudo\.log[\s]+-p[\s]+wa[\s]+-k[\s]+actions$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|5.1, CSCv7|4.9, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following line: + +-w <Path to sudo logfile> -p wa -k actions + +Example: vi /etc/audit/rules.d/actions.rules +and add the following line: + +-w /var/log/sudo.log -p wa -k actions + +Notes: + +The system must be configured with su disabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b39bb1a24e89e67fdd9a1cc5bc903984ef011fcdcdf7aaf4aac97b6ae1cf5a56 + 4.1.16 Ensure kernel module loading and unloading is collected - insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 5f5dca23dc39b8f14aec44a2569c75add61c907fb3c78d179122a5afeedfe177 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 68902d2f68c462e5f95fa1790fccfd1a3888d03b696d9da7eda317eead033d72 + 4.1.16 Ensure kernel module loading and unloading is collected - rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 7275547d8a319270eb93eed611c7ac20adcd4beae74ed3fbeccee11b8e354547 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + d8b698b73645dad96c72c6d08d8f28741d4e127ec85616670dbdf427facf3604 + 4.1.16 Ensure kernel module loading and unloading is collected - modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 91e5bdbac3f50f475ad5a0baa06f7dc19e805a2291d09b0860012c09cff73367 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 939c46efe9f7e1b91be256d2ec9212bf5153e5f7d865a97fe4b5e004f00e4bc7 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + a3d53b1ab5b465ff86cc2932355cdc38a25da88f6f1864abff3097b68246ad6a + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (32-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + +Actual Value: +The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + The file "/etc/audit/audit.rules" does not contain "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$" + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 394a22f398ef95a2f0d84a72ba5d8addbb93d040f41c3f3f4e466fb90737b113 + 4.1.16 Ensure kernel module loading and unloading is collected - init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + expect: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +file: /etc/audit/audit.rules +regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+init_module[\s]+-S[\s]+delete_module[\s]+-k[\s]+modules[\s]*$ +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit)" : [FAILED] + +Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + +Solution: +For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv6|3,CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|2S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1 + +Policy Value: +cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + +Actual Value: +The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + The command '/sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}'' returned : + +fail + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + b9cb045ebb817de1c09597630d7436dfd8db88613f24cf5f90de25e345efbfe9 + 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit) + Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of 'modules'. + +Rationale: + +Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. + cmd: /sbin/auditctl -l | /bin/grep -P '^-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+(?=.*init_module)(?=.*delete_module).*-F[\s]+key=modules$' | /usr/bin/awk '{print} END {if (NR != 0) print "pass" ; else print "fail"}' +expect: pass +system: Linux + 800-171|3.3.1, 800-171|3.3.2, 800-53|AU-12, CN-L3|7.1.3.3(a), CN-L3|7.1.3.3(b), CN-L3|7.1.3.3(c), CN-L3|8.1.3.5(a), CN-L3|8.1.3.5(b), CN-L3|8.1.4.3(a), CSCv6|3, CSCv7|5.1, CSF|DE.CM-1, CSF|DE.CM-3, CSF|DE.CM-7, CSF|PR.PT-1, ISO/IEC-27001|A.12.4.1, ITSG-33|AU-12, LEVEL|2S, NESA|T3.6.2, NESA|T3.6.5, NESA|T3.6.6, NIAv2|SM8, QCSC-v1|13.2, QCSC-v1|3.2, QCSC-v1|6.2, QCSC-v1|8.2.1, SWIFT-CSCv1|6.4, TBA-FIISB|45.1.1 + FAILED + https://workbench.cisecurity.org/files/2611 + For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules + +For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules +Example: vi /etc/audit/rules.d/modules.rules +and add the following lines: + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +Notes: + +Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot. + $Revision: 1.480 $ + + + "4.1.17 Ensure the audit configuration is immutable" : [FAILED] + +Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + +Solution: +Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3,CSCv7|6.2,CSCv7|6.3,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + +Actual Value: +The command returned : + +--backlog_wait_time 0 + The command returned : + +--backlog_wait_time 0 + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + dd3e7f47c1e769675b99ac24944487dfa2923267866b81b24ad14f624a75dd1a + 4.1.17 Ensure the audit configuration is immutable + Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + +Rationale: + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. + cmd: /bin/grep -v "^$" /etc/audit/audit.rules | /usr/bin/tail -1 +dont_echo_cmd: YES +expect: ^[\s]*-e[\s]+2[\s]*$ +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv6|3, CSCv7|6.2, CSCv7|6.3, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + FAILED + https://workbench.cisecurity.org/files/2611 + Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line + +-e 2 + +at the end of the file + +Notes: + +This setting will ensure reloading the auditd config to set active settings requires a system reboot. + $Revision: 1.480 $ + + + "5.2.6 Ensure SSH X11 forwarding is disabled" : [PASSED] + +The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CIP|007-6-R1,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,LEVEL|2S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*X11Forwarding[\s]' found - expect '^[\s]*X11Forwarding[\s]+no[\s]*$' found in the following lines: + 22: X11Forwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 75a649a0fc1d66f4faf0b86fab5631c2df6ad6a53d0559d9adbab8611d8e03db + 5.2.6 Ensure SSH X11 forwarding is disabled + The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. + +Rationale: + +Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. + expect: ^[\s]*X11Forwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*X11Forwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CIP|007-6-R1, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|1S, LEVEL|2S, NESA|T3.2.1, PCI-DSSv3.1|2.2.4, PCI-DSSv3.2|2.2.4, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +X11Forwarding no + $Revision: 1.480 $ + + + "5.2.21 Ensure SSH AllowTcpForwarding is disabled" : [PASSED] + +SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + +Solution: +Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: 800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|2S,NESA|T3.2.1,SWIFT-CSCv1|2.3 + +Policy Value: +expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + +Actual Value: +Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + Compliant file(s): + /etc/ssh/sshd_config - regex '^[\s]*AllowTcpForwarding[\s]' found - expect '^[\s]*AllowTcpForwarding[\s]+no[\s]*$' found in the following lines: + 63: AllowTcpForwarding no + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 0afee2ea9d92a9032de96dac0ac4841c2165281ba053b0b0f85d437aa76fd6ac + 5.2.21 Ensure SSH AllowTcpForwarding is disabled + SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines + +Rationale: + +Leaving port forwarding enabled can expose the organization to security risks and back-doors. + +SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network + expect: ^[\s]*AllowTcpForwarding[\s]+no[\s]*$ +file: /etc/ssh/sshd_config +regex: ^[\s]*AllowTcpForwarding[\s] +system: Linux + 800-171|3.4.2, 800-53|CM-6, CN-L3|8.1.10.6(d), CSCv7|9.2, CSF|PR.IP-1, ITSG-33|CM-6, LEVEL|2S, NESA|T3.2.1, SWIFT-CSCv1|2.3 + PASSED + https://workbench.cisecurity.org/files/2611 + Edit the /etc/ssh/sshd_config file to set the parameter as follows: + +AllowTcpForwarding no + +Impact: + +SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. + +Default Value: + +AllowTcpForwarding yes + +References: + +https://www.ssh.com/ssh/tunneling/example + $Revision: 1.480 $ + + + "6.1.1 Audit system file permissions" : [WARNING] + +The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + +Solution: +Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + +See Also: https://workbench.cisecurity.org/files/2611 + +Reference: CSCv6|14.4,CSCv7|14.6,LEVEL|2NS + +Policy Value: +WARNING + CIS_Ubuntu_18.04_LTS_Server_v2.0.1_L2.audit + 79108ca19f615ebba631613bd4f83427f83414add433dea43fd95a2221480e3d + 6.1.1 Audit system file permissions + The Ubuntu package manager has a number of useful options. One of these, the --verify option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: + +Code Meaning + +S File size differs. + +M File mode differs (includes permissions and file type). + +5 The MD5 checksum differs. + +D The major and minor version numbers differ on a device file. + +L A mismatch occurs in a link. + +U The file ownership differs. + +G The file group owner differs. + +T The file time (mtime) differs. + +The dpkg -S command can be used to determine which package a particular file belongs to. For example the following command determines which package the /bin/bash file belongs to: + +# dpkg -S /bin/bash + + + +bash: /bin/bash + + + + +To verify the settings for the package that controls the /bin/bash file, run the following: + +# dpkg --verify bash + + + +??5?????? c /etc/bash.bashrc + +Rationale: + +It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. + +NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. + WARNING + CSCv6|14.4, CSCv7|14.6, LEVEL|2NS + WARNING + https://workbench.cisecurity.org/files/2611 + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + +Notes: + +Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures. + +Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default. + $Revision: 1.480 $ + + + + \ No newline at end of file