Use controls to assign ANSSI references #11556
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The references to ANSSI will be automatically added to rules during the build based on the data in `controls/anssi.yml`.
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_prefer_64bit_os'.
--- xccdf_org.ssgproject.content_rule_prefer_64bit_os
+++ xccdf_org.ssgproject.content_rule_prefer_64bit_os
@@ -9,7 +9,7 @@
There is no remediation besides installing a 64-bit operating system.
[reference]:
-BP28(R10)
+BP28(R1)
[rationale]:
Use of a 64-bit operating system offers a few advantages, like a larger address space range for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'.
--- xccdf_org.ssgproject.content_rule_package_aide_installed
+++ xccdf_org.ssgproject.content_rule_package_aide_installed
@@ -8,9 +8,6 @@
$ sudo yum install aide
[reference]:
-BP28(R51)
-
-[reference]:
1
[reference]:
@@ -237,6 +234,12 @@
[reference]:
SV-251710r880730_rule
+
+[reference]:
+BP28(R76)
+
+[reference]:
+BP28(R79)
[reference]:
5.3.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_build_database'.
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -23,9 +23,6 @@
If this check produces any unexpected output, investigate.
[reference]:
-BP28(R51)
-
-[reference]:
1
[reference]:
@@ -231,6 +228,12 @@
[reference]:
SV-251710r880730_rule
+
+[reference]:
+BP28(R76)
+
+[reference]:
+BP28(R79)
[reference]:
5.3.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking'.
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -13,9 +13,6 @@
@weekly is acceptable.
[reference]:
-BP28(R51)
-
-[reference]:
1
[reference]:
@@ -236,6 +233,9 @@
[reference]:
SRG-OS-000447-GPOS-00201
+
+[reference]:
+BP28(R76)
[reference]:
5.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -10,9 +10,6 @@
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
-
-[reference]:
-BP28(R51)
[reference]:
1
@@ -164,6 +161,9 @@
[reference]:
SV-230263r902716_rule
+[reference]:
+BP28(R76)
+
[rationale]:
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls'.
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -13,9 +13,6 @@
The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
-
-[reference]:
-BP28(R51)
[reference]:
2
@@ -95,6 +92,9 @@
[reference]:
SV-230552r880724_rule
+[reference]:
+BP28(R76)
+
[rationale]:
ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'.
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -13,9 +13,6 @@
The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
-
-[reference]:
-BP28(R51)
[reference]:
2
@@ -95,6 +92,9 @@
[reference]:
SV-230551r627750_rule
+[reference]:
+BP28(R76)
+
[rationale]:
Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot'.
--- xccdf_org.ssgproject.content_rule_partition_for_boot
+++ xccdf_org.ssgproject.content_rule_partition_for_boot
@@ -10,7 +10,7 @@
option.
[reference]:
-BP28(R12)
+BP28(R28)
[rationale]:
The /boot partition contains the kernel and bootloader files.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -8,9 +8,6 @@
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
-
-[reference]:
-BP28(R12)
[reference]:
12
@@ -91,6 +88,9 @@
SV-230328r902723_rule
[reference]:
+BP28(R28)
+
+[reference]:
1.1.2.3.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt'.
--- xccdf_org.ssgproject.content_rule_partition_for_opt
+++ xccdf_org.ssgproject.content_rule_partition_for_opt
@@ -7,7 +7,7 @@
partition.
[reference]:
-BP28(R12)
+BP28(R28)
[rationale]:
The /opt partition contains additional software, usually installed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv'.
--- xccdf_org.ssgproject.content_rule_partition_for_srv
+++ xccdf_org.ssgproject.content_rule_partition_for_srv
@@ -10,7 +10,7 @@
mountpoint can instead be configured later.
[reference]:
-BP28(R12)
+BP28(R28)
[rationale]:
Srv deserves files for local network file server such as FTP. Ensuring
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -6,9 +6,6 @@
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
-
-[reference]:
-BP28(R12)
[reference]:
12
@@ -86,6 +83,9 @@
SV-230295r627750_rule
[reference]:
+BP28(R28)
+
+[reference]:
1.1.2.1.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr'.
--- xccdf_org.ssgproject.content_rule_partition_for_usr
+++ xccdf_org.ssgproject.content_rule_partition_for_usr
@@ -7,7 +7,7 @@
partition.
[reference]:
-BP28(R12)
+BP28(R28)
[rationale]:
The /usr partition contains system software, utilities and files.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -6,9 +6,6 @@
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
-
-[reference]:
-BP28(R12)
[reference]:
12
@@ -86,6 +83,9 @@
SV-230292r902718_rule
[reference]:
+BP28(R28)
+
+[reference]:
1.1.2.4.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -7,12 +7,6 @@
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM.
-
-[reference]:
-BP28(R12)
-
-[reference]:
-BP28(R47)
[reference]:
1
@@ -180,6 +174,9 @@
SV-230293r902720_rule
[reference]:
+BP28(R28)
+
+[reference]:
1.1.2.6.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
@@ -11,9 +11,6 @@
audit logs that will be created by the auditing daemon.
[reference]:
-BP28(R43)
-
-[reference]:
1
[reference]:
@@ -213,6 +210,9 @@
[reference]:
SV-230294r627750_rule
+
+[reference]:
+BP28(R71)
[reference]:
1.1.2.7.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -6,9 +6,6 @@
The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
-
-[reference]:
-BP28(R12)
[reference]:
SRG-OS-000480-GPOS-00227
@@ -20,6 +17,9 @@
SV-244529r902737_rule
[reference]:
+BP28(R28)
+
+[reference]:
1.1.2.5.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed'.
--- xccdf_org.ssgproject.content_rule_package_sudo_installed
+++ xccdf_org.ssgproject.content_rule_package_sudo_installed
@@ -6,9 +6,6 @@
The sudo package can be installed with the following command:
$ sudo yum install sudo
-
-[reference]:
-BP28(R19)
[reference]:
1382
@@ -32,6 +29,9 @@
SRG-OS-000324-GPOS-00125
[reference]:
+BP28(R33)
+
+[reference]:
4.3.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_env_reset'.
--- xccdf_org.ssgproject.content_rule_sudo_add_env_reset
+++ xccdf_org.ssgproject.content_rule_sudo_add_env_reset
@@ -11,7 +11,7 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
+BP28(R39)
[rationale]:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot'.
--- xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
+++ xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
@@ -11,7 +11,7 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
+BP28(R39)
[rationale]:
Ignoring the commands in the user's current directory prevents an attacker from executing commands
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_noexec'.
--- xccdf_org.ssgproject.content_rule_sudo_add_noexec
+++ xccdf_org.ssgproject.content_rule_sudo_add_noexec
@@ -10,7 +10,7 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
+BP28(R39)
[rationale]:
Restricting the capability of sudo allowed commands to execute sub-commands
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_requiretty'.
--- xccdf_org.ssgproject.content_rule_sudo_add_requiretty
+++ xccdf_org.ssgproject.content_rule_sudo_add_requiretty
@@ -10,7 +10,7 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
+BP28(R39)
[rationale]:
Restricting the use cases in which a user is allowed to execute sudo commands
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_umask'.
--- xccdf_org.ssgproject.content_rule_sudo_add_umask
+++ xccdf_org.ssgproject.content_rule_sudo_add_umask
@@ -12,7 +12,7 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
+BP28(R39)
[rationale]:
The umask value influences the permissions assigned to files when they are created.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_use_pty'.
--- xccdf_org.ssgproject.content_rule_sudo_add_use_pty
+++ xccdf_org.ssgproject.content_rule_sudo_add_use_pty
@@ -10,13 +10,13 @@
in /etc/sudoers.d/.
[reference]:
-BP28(R58)
-
-[reference]:
Req-10.2.5
[reference]:
2.2.6
+
+[reference]:
+BP28(R39)
[reference]:
4.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
+++ xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
@@ -7,12 +7,6 @@
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/.
-
-[reference]:
-BP28(R5)
-
-[reference]:
-BP28(R59)
[reference]:
1
@@ -155,6 +149,9 @@
[reference]:
SV-230272r854027_rule
+[reference]:
+BP28(R40)
+
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
+++ xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
@@ -12,12 +12,6 @@
[warning]:
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV requires to perform operations as root without being asked for password.
-
-[reference]:
-BP28(R5)
-
-[reference]:
-BP28(R59)
[reference]:
1
@@ -160,6 +154,9 @@
[reference]:
SV-230271r854026_rule
+[reference]:
+BP28(R40)
+
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_restrict_others_executable_permission'.
--- xccdf_org.ssgproject.content_rule_sudo_restrict_others_executable_permission
+++ xccdf_org.ssgproject.content_rule_sudo_restrict_others_executable_permission
@@ -8,9 +8,6 @@
To properly set the permissions of /usr/bin/sudo, run the command:
$ sudo chmod 4110 /usr/bin/sudo
-[reference]:
-BP28(R57)
-
[rationale]:
Restricting the set of users able to execute commands as privileged user reduces the attack surface.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args'.
--- xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args
+++ xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args
@@ -13,7 +13,7 @@
The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2.
[reference]:
-BP28(R63)
+BP28(R43)
[rationale]:
Any argument can modify quite significantly the behavior of a program, whether regarding the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_no_command_negation'.
--- xccdf_org.ssgproject.content_rule_sudoers_no_command_negation
+++ xccdf_org.ssgproject.content_rule_sudoers_no_command_negation
@@ -13,7 +13,7 @@
This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.
[reference]:
-BP28(R61)
+BP28(R42)
[rationale]:
Specifying access right using negation is inefficient and can be easily circumvented.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed'.
--- xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
+++ xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
@@ -8,10 +8,10 @@
$ sudo yum install dnf-automatic
[reference]:
-BP28(R8)
+SRG-OS-000191-GPOS-00080
[reference]:
-SRG-OS-000191-GPOS-00080
+BP28(R61)
[rationale]:
dnf-automatic is an alternative command line interface (CLI)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates'.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -4,9 +4,6 @@
[description]:
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
-
-[reference]:
-BP28(R8)
[reference]:
0940
@@ -47,6 +44,9 @@
[reference]:
SRG-OS-000191-GPOS-00080
+[reference]:
+BP28(R61)
+
[rationale]:
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only'.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -6,9 +6,6 @@
To configure dnf-automatic to install only security updates
automatically, set upgrade_type to security under
[commands] section in /etc/dnf/automatic.conf.
-
-[reference]:
-BP28(R8)
[reference]:
SI-2(5)
@@ -25,6 +22,9 @@
[reference]:
SRG-OS-000191-GPOS-00080
+[reference]:
+BP28(R61)
+
[rationale]:
By default, dnf-automatic installs all available updates.
Reducing the amount of updated packages only to updates that were
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -11,9 +11,6 @@
gpgcheck=1
[reference]:
-BP28(R15)
-
-[reference]:
11
[reference]:
@@ -183,6 +180,9 @@
[reference]:
SV-230264r880711_rule
+
+[reference]:
+BP28(R59)
[reference]:
1.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -6,9 +6,6 @@
yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
-
-[reference]:
-BP28(R15)
[reference]:
11
@@ -115,6 +112,9 @@
[reference]:
SV-230265r877463_rule
+[reference]:
+BP28(R59)
+
[rationale]:
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -6,9 +6,6 @@
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
-
-[reference]:
-BP28(R15)
[reference]:
11
@@ -182,6 +179,9 @@
SV-230264r880711_rule
[reference]:
+BP28(R59)
+
+[reference]:
1.2.2
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -21,9 +21,6 @@
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[reference]:
-BP28(R15)
-
-[reference]:
11
[reference]:
@@ -199,6 +196,9 @@
[reference]:
SV-256973r902752_rule
+
+[reference]:
+BP28(R59)
[rationale]:
Changes to software components can have significant effects on the overall
New content has different text for rule 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'.
--- xccdf_org.ssgproject.content_rule_security_patches_up_to_date
+++ xccdf_org.ssgproject.content_rule_security_patches_up_to_date
@@ -15,9 +15,6 @@
[warning]:
The OVAL feed of Red Hat Enterprise Linux 8 is not a XML file, which may not be understood by all scanners.
-
-[reference]:
-BP28(R08)
[reference]:
18
@@ -118,6 +115,9 @@
[reference]:
SV-230222r627750_rule
+[reference]:
+BP28(R61)
+
[rationale]:
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
New content has different text for rule 'xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled'.
--- xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
+++ xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
@@ -5,9 +5,6 @@
[description]:
The dnf-automatic timer can be enabled with the following command:
$ sudo systemctl enable dnf-automatic.timer
-
-[reference]:
-BP28(R8)
[reference]:
SI-2(5)
@@ -24,6 +21,9 @@
[reference]:
SRG-OS-000191-GPOS-00080
+[reference]:
+BP28(R61)
+
[rationale]:
The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar.
The tool is controlled by dnf-automatic.timer SystemD timer.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_authselect'.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -12,9 +12,6 @@
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile.
-
-[reference]:
-BP28(R31)
[reference]:
CCI-000213
@@ -65,6 +62,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+BP28(R31)
+
+[reference]:
enable_authselect
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_pam_namespace'.
--- xccdf_org.ssgproject.content_rule_enable_pam_namespace
+++ xccdf_org.ssgproject.content_rule_enable_pam_namespace
@@ -7,7 +7,7 @@
session required pam_namespace.so
[reference]:
-BP28(R39)
+BP28(R55)
[rationale]:
The pam_namespace PAM module sets up a private namespace for a
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -17,9 +17,6 @@
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
-
-[reference]:
-BP28(R18)
[reference]:
1
@@ -189,6 +186,9 @@
[reference]:
SRG-OS-000077-GPOS-00045
+[reference]:
+BP28(R31)
+
[rationale]:
Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -28,9 +28,6 @@
parameters should be defined in faillock.conf file.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -206,6 +203,9 @@
[reference]:
SV-230333r743966_rule
+
+[reference]:
+BP28(R31)
[reference]:
4.4.3.1.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -19,9 +19,6 @@
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file.
-
-[reference]:
-BP28(R18)
[reference]:
1
@@ -186,6 +183,9 @@
SV-230345r743984_rule
[reference]:
+BP28(R31)
+
+[reference]:
4.4.3.1.3
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -25,9 +25,6 @@
parameters should be defined in faillock.conf file.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -197,6 +194,9 @@
[reference]:
SV-230335r743969_rule
+
+[reference]:
+BP28(R31)
[rationale]:
By limiting the number of failed logon attempts the risk of unauthorized system
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -38,9 +38,6 @@
parameters should be defined in faillock.conf file.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -222,6 +219,9 @@
[reference]:
SV-230337r743972_rule
+
+[reference]:
+BP28(R31)
[reference]:
4.4.3.1.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -10,9 +10,6 @@
/etc/security/pwquality.conf to require the use of a digit in passwords.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -230,6 +227,9 @@
[reference]:
SV-230359r858775_rule
+
+[reference]:
+BP28(R31)
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -10,9 +10,6 @@
/etc/security/pwquality.conf to require the use of a lowercase character in passwords.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -230,6 +227,9 @@
[reference]:
SV-230358r858773_rule
+
+[reference]:
+BP28(R31)
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -8,9 +8,6 @@
after pam_pwquality to set minimum password length requirements.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -231,6 +228,9 @@
[reference]:
SV-230369r858785_rule
+
+[reference]:
+BP28(R31)
[reference]:
4.4.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -12,9 +12,6 @@
to require use of a special character in passwords.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -226,6 +223,9 @@
[reference]:
SV-230375r858787_rule
+
+[reference]:
+BP28(R31)
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -10,9 +10,6 @@
/etc/security/pwquality.conf to require the use of an uppercase character in passwords.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -233,6 +230,9 @@
[reference]:
SV-230357r858771_rule
+
+[reference]:
+BP28(R31)
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -8,9 +8,6 @@
ENCRYPT_METHOD 'xccdf_org.ssgproject.content_value_var_password_hashing_algorithm'
[reference]:
-BP28(R32)
-
-[reference]:
1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -19,9 +19,6 @@
the default.
[reference]:
-BP28(R32)
-
-[reference]:
1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -19,9 +19,6 @@
the default.
[reference]:
-BP28(R32)
-
-[reference]:
1
[reference]:
@@ -212,6 +209,9 @@
[reference]:
SV-244524r809331_rule
+
+[reference]:
+BP28(R68)
[reference]:
4.4.3.4.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -10,9 +10,6 @@
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000.
-
-[reference]:
-BP28(R68)
[reference]:
CCI-000196
New content has different text for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout'.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -10,9 +10,6 @@
StopIdleSessionSec='xccdf_org.ssgproject.content_value_var_logind_session_timeout'.
[reference]:
-BP28(R29)
-
-[reference]:
1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
@@ -12,9 +12,6 @@
The profile requirement is 'xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs'.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -199,6 +196,9 @@
[reference]:
SV-230366r646878_rule
+
+[reference]:
+BP28(R31)
[reference]:
4.5.1.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
@@ -17,9 +17,6 @@
information about enforcing password quality requirements.
[reference]:
-BP28(R18)
-
-[reference]:
1
[reference]:
@@ -231,6 +228,9 @@
[reference]:
SV-230370r627750_rule
+
+[reference]:
+BP28(R31)
[rationale]:
Requiring a minimum password length makes password
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -16,13 +16,13 @@
but requires more CPU resources to authenticate users.
[reference]:
-BP28(R68)
-
-[reference]:
CCI-000196
[reference]:
SRG-OS-000073-GPOS-00041
+
+[reference]:
+BP28(R68)
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -16,13 +16,13 @@
but requires more CPU resources to authenticate users.
[reference]:
-BP28(R68)
-
-[reference]:
CCI-000196
[reference]:
SRG-OS-000073-GPOS-00041
+
+[reference]:
+BP28(R68)
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins'.
--- xccdf_org.ssgproject.content_rule_no_direct_root_logins
+++ xccdf_org.ssgproject.content_rule_no_direct_root_logins
@@ -23,9 +23,6 @@
the pam_securetty.so PAM module is properly enabled in relevant PAM files.
[reference]:
-BP28(R19)
-
-[reference]:
1
[reference]:
@@ -246,6 +243,9 @@
[reference]:
8.6.1
+
+[reference]:
+BP28(R33)
[rationale]:
Disabling direct root logins ensures proper accountability and multifactor
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp'.
--- xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
+++ xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
@@ -10,7 +10,7 @@
/tmp /tmp/tmp-inst/ level root,adm
[reference]:
-BP28(R39)
+BP28(R55)
[rationale]:
Polyinstantiation of temporary directories is a proactive security measure
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp'.
--- xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp
+++ xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp
@@ -10,7 +10,7 @@
/var/tmp /var/tmp/tmp-inst/ level root,adm
[reference]:
-BP28(R39)
+BP28(R55)
[rationale]:
Polyinstantiation of temporary directories is a proactive security measure
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -14,9 +14,6 @@
or
declare -xr TMOUT='xccdf_org.ssgproject.content_value_var_accounts_tmout'
Using the typeset keyword is preferred for wider compatibility with ksh and other shells.
-
-[reference]:
-BP28(R29)
[reference]:
1
@@ -163,6 +160,9 @@
SRG-OS-000029-GPOS-00010
[reference]:
+BP28(R32)
+
+[reference]:
4.5.3.2
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -7,9 +7,6 @@
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 'xccdf_org.ssgproject.content_value_var_accounts_user_umask'
-
-[reference]:
-BP28(R35)
[reference]:
18
@@ -93,6 +90,9 @@
SV-230385r792902_rule
[reference]:
+BP28(R36)
+
+[reference]:
4.5.3.3
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
@@ -6,9 +6,6 @@
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 'xccdf_org.ssgproject.content_value_var_accounts_user_umask'
-
-[reference]:
-BP28(R35)
[reference]:
11
@@ -137,6 +134,9 @@
SV-230383r627750_rule
[reference]:
+BP28(R36)
+
+[reference]:
4.5.3.3
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
@@ -10,9 +10,6 @@
Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary.
-
-[reference]:
-BP28(R35)
[reference]:
18
@@ -96,6 +93,9 @@
SV-230385r792902_rule
[reference]:
+BP28(R36)
+
+[reference]:
4.5.3.3
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -6,196 +6,196 @@
The audit package should be installed.
[reference]:
+CCI-000130
+
+[reference]:
+CCI-000131
+
+[reference]:
+CCI-000132
+
+[reference]:
+CCI-000133
+
+[reference]:
+CCI-000134
+
+[reference]:
+CCI-000135
+
+[reference]:
+CCI-000154
+
+[reference]:
+CCI-000158
+
+[reference]:
+CCI-000172
+
+[reference]:
+CCI-001464
+
+[reference]:
+CCI-001487
+
+[reference]:
+CCI-001814
+
+[reference]:
+CCI-001875
+
+[reference]:
+CCI-001876
+
+[reference]:
+CCI-001877
+
+[reference]:
+CCI-001878
+
+[reference]:
+CCI-001879
+
+[reference]:
+CCI-001880
+
+[reference]:
+CCI-001881
+
+[reference]:
+CCI-001882
+
+[reference]:
+CCI-001889
+
+[reference]:
+CCI-001914
+
+[reference]:
+CCI-002884
+
+[reference]:
+CCI-000169
+
+[reference]:
+CIP-004-6 R3.3
+
+[reference]:
+CIP-007-3 R6.5
+
+[reference]:
+AC-7(a)
+
+[reference]:
+AU-7(1)
+
+[reference]:
+AU-7(2)
+
+[reference]:
+AU-14
+
+[reference]:
+AU-12(2)
+
+[reference]:
+AU-2(a)
+
+[reference]:
+CM-6(a)
+
+[reference]:
+FAU_GEN.1
+
+[reference]:
+Req-10.1
+
+[reference]:
+10.2.1
+
+[reference]:
+SRG-OS-000062-GPOS-00031
+
+[reference]:
+SRG-OS-000037-GPOS-00015
+
+[reference]:
+SRG-OS-000038-GPOS-00016
+
+[reference]:
+SRG-OS-000039-GPOS-00017
+
+[reference]:
+SRG-OS-000040-GPOS-00018
+
+[reference]:
+SRG-OS-000041-GPOS-00019
+
+[reference]:
+SRG-OS-000042-GPOS-00021
+
+[reference]:
+SRG-OS-000051-GPOS-00024
+
+[reference]:
+SRG-OS-000054-GPOS-00025
+
+[reference]:
+SRG-OS-000122-GPOS-00063
+
+[reference]:
+SRG-OS-000254-GPOS-00095
+
+[reference]:
+SRG-OS-000255-GPOS-00096
+
+[reference]:
+SRG-OS-000337-GPOS-00129
+
+[reference]:
+SRG-OS-000348-GPOS-00136
+
+[reference]:
+SRG-OS-000349-GPOS-00137
+
+[reference]:
+SRG-OS-000350-GPOS-00138
+
+[reference]:
+SRG-OS-000351-GPOS-00139
+
+[reference]:
+SRG-OS-000352-GPOS-00140
+
+[reference]:
+SRG-OS-000353-GPOS-00141
+
+[reference]:
+SRG-OS-000354-GPOS-00142
+
+[reference]:
+SRG-OS-000358-GPOS-00145
+
+[reference]:
+SRG-OS-000365-GPOS-00152
+
+[reference]:
+SRG-OS-000392-GPOS-00172
+
+[reference]:
+SRG-OS-000475-GPOS-00220
+
+[reference]:
+RHEL-08-030180
+
+[reference]:
+SV-230411r744000_rule
+
+[reference]:
BP28(R33)
[reference]:
BP28(R73)
-
-[reference]:
-CCI-000130
-
-[reference]:
-CCI-000131
-
-[reference]:
-CCI-000132
-
-[reference]:
-CCI-000133
-
-[reference]:
-CCI-000134
-
-[reference]:
-CCI-000135
-
-[reference]:
-CCI-000154
-
-[reference]:
-CCI-000158
-
-[reference]:
-CCI-000172
-
-[reference]:
-CCI-001464
-
-[reference]:
-CCI-001487
-
-[reference]:
-CCI-001814
-
-[reference]:
-CCI-001875
-
-[reference]:
-CCI-001876
-
-[reference]:
-CCI-001877
-
-[reference]:
-CCI-001878
-
-[reference]:
-CCI-001879
-
-[reference]:
-CCI-001880
-
-[reference]:
-CCI-001881
-
-[reference]:
-CCI-001882
-
-[reference]:
-CCI-001889
-
-[reference]:
-CCI-001914
-
-[reference]:
-CCI-002884
-
-[reference]:
-CCI-000169
-
-[reference]:
-CIP-004-6 R3.3
-
-[reference]:
-CIP-007-3 R6.5
-
-[reference]:
-AC-7(a)
-
-[reference]:
-AU-7(1)
-
-[reference]:
-AU-7(2)
-
-[reference]:
-AU-14
-
-[reference]:
-AU-12(2)
-
-[reference]:
-AU-2(a)
-
-[reference]:
-CM-6(a)
-
-[reference]:
-FAU_GEN.1
-
-[reference]:
-Req-10.1
-
-[reference]:
-10.2.1
-
-[reference]:
-SRG-OS-000062-GPOS-00031
-
-[reference]:
-SRG-OS-000037-GPOS-00015
-
-[reference]:
-SRG-OS-000038-GPOS-00016
-
-[reference]:
-SRG-OS-000039-GPOS-00017
-
-[reference]:
-SRG-OS-000040-GPOS-00018
-
-[reference]:
-SRG-OS-000041-GPOS-00019
-
-[reference]:
-SRG-OS-000042-GPOS-00021
-
-[reference]:
-SRG-OS-000051-GPOS-00024
-
-[reference]:
-SRG-OS-000054-GPOS-00025
-
-[reference]:
-SRG-OS-000122-GPOS-00063
-
-[reference]:
-SRG-OS-000254-GPOS-00095
-
-[reference]:
-SRG-OS-000255-GPOS-00096
-
-[reference]:
-SRG-OS-000337-GPOS-00129
-
-[reference]:
-SRG-OS-000348-GPOS-00136
-
-[reference]:
-SRG-OS-000349-GPOS-00137
-
-[reference]:
-SRG-OS-000350-GPOS-00138
-
-[reference]:
-SRG-OS-000351-GPOS-00139
-
-[reference]:
-SRG-OS-000352-GPOS-00140
-
-[reference]:
-SRG-OS-000353-GPOS-00141
-
-[reference]:
-SRG-OS-000354-GPOS-00142
-
-[reference]:
-SRG-OS-000358-GPOS-00145
-
-[reference]:
-SRG-OS-000365-GPOS-00152
-
-[reference]:
-SRG-OS-000392-GPOS-00172
-
-[reference]:
-SRG-OS-000475-GPOS-00220
-
-[reference]:
-RHEL-08-030180
-
-[reference]:
-SV-230411r744000_rule
[reference]:
5.2.1.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -11,553 +11,553 @@
$ sudo systemctl enable auditd.service
[reference]:
+1
+
+[reference]:
+11
+
+[reference]:
+12
+
+[reference]:
+13
+
+[reference]:
+14
+
+[reference]:
+15
+
+[reference]:
+16
+
+[reference]:
+19
+
+[reference]:
+2
+
+[reference]:
+3
+
+[reference]:
+4
+
+[reference]:
+5
+
+[reference]:
+6
+
+[reference]:
+7
+
+[reference]:
+8
+
+[reference]:
+9
+
+[reference]:
+5.4.1.1
+
+[reference]:
+APO10.01
+
+[reference]:
+APO10.03
+
+[reference]:
+APO10.04
+
+[reference]:
+APO10.05
+
+[reference]:
+APO11.04
+
+[reference]:
+APO12.06
+
+[reference]:
+APO13.01
+
+[reference]:
+BAI03.05
+
+[reference]:
+BAI08.02
+
+[reference]:
+DSS01.03
+
+[reference]:
+DSS01.04
+
+[reference]:
+DSS02.02
+
+[reference]:
+DSS02.04
+
+[reference]:
+DSS02.07
+
+[reference]:
+DSS03.01
+
+[reference]:
+DSS03.05
+
+[reference]:
+DSS05.02
+
+[reference]:
+DSS05.03
+
+[reference]:
+DSS05.04
+
+[reference]:
+DSS05.05
+
+[reference]:
+DSS05.07
+
+[reference]:
+MEA01.01
+
+[reference]:
+MEA01.02
+
+[reference]:
+MEA01.03
+
+[reference]:
+MEA01.04
+
+[reference]:
+MEA01.05
+
+[reference]:
+MEA02.01
+
+[reference]:
+3.3.1
+
+[reference]:
+3.3.2
+
+[reference]:
+3.3.6
+
+[reference]:
+CCI-000126
+
+[reference]:
+CCI-000130
+
+[reference]:
+CCI-000131
+
+[reference]:
+CCI-000132
+
+[reference]:
+CCI-000133
+
+[reference]:
+CCI-000134
+
+[reference]:
+CCI-000135
+
+[reference]:
+CCI-000154
+
+[reference]:
+CCI-000158
+
+[reference]:
+CCI-000172
+
+[reference]:
+CCI-000366
+
+[reference]:
+CCI-001464
+
+[reference]:
+CCI-001487
+
+[reference]:
+CCI-001814
+
+[reference]:
+CCI-001875
+
+[reference]:
+CCI-001876
+
+[reference]:
+CCI-001877
+
+[reference]:
+CCI-002884
+
+[reference]:
+CCI-001878
+
+[reference]:
+CCI-001879
+
+[reference]:
+CCI-001880
+
+[reference]:
+CCI-001881
+
+[reference]:
+CCI-001882
+
+[reference]:
+CCI-001889
+
+[reference]:
+CCI-001914
+
+[reference]:
+CCI-000169
+
+[reference]:
+164.308(a)(1)(ii)(D)
+
+[reference]:
+164.308(a)(5)(ii)(C)
+
+[reference]:
+164.310(a)(2)(iv)
+
+[reference]:
+164.310(d)(2)(iii)
+
+[reference]:
+164.312(b)
+
+[reference]:
+4.2.3.10
+
+[reference]:
+4.3.2.6.7
+
+[reference]:
+4.3.3.3.9
+
+[reference]:
+4.3.3.5.8
+
+[reference]:
+4.3.3.6.6
+
+[reference]:
+4.3.4.4.7
+
+[reference]:
+4.3.4.5.6
+
+[reference]:
+4.3.4.5.7
+
+[reference]:
+4.3.4.5.8
+
+[reference]:
+4.4.2.1
+
+[reference]:
+4.4.2.2
+
+[reference]:
+4.4.2.4
+
+[reference]:
+SR 1.13
+
+[reference]:
+SR 2.10
+
+[reference]:
+SR 2.11
+
+[reference]:
+SR 2.12
+
+[reference]:
+SR 2.6
+
+[reference]:
+SR 2.8
+
+[reference]:
+SR 2.9
+
+[reference]:
+SR 3.1
+
+[reference]:
+SR 3.5
+
+[reference]:
+SR 3.8
+
+[reference]:
+SR 4.1
+
+[reference]:
+SR 4.3
+
+[reference]:
+SR 5.1
+
+[reference]:
+SR 5.2
+
+[reference]:
+SR 5.3
+
+[reference]:
+SR 6.1
+
+[reference]:
+SR 6.2
+
+[reference]:
+SR 7.1
+
+[reference]:
+SR 7.6
+
+[reference]:
+A.11.2.6
+
+[reference]:
+A.12.4.1
+
+[reference]:
+A.12.4.2
+
+[reference]:
+A.12.4.3
+
+[reference]:
+A.12.4.4
+
+[reference]:
+A.12.7.1
+
+[reference]:
+A.13.1.1
+
+[reference]:
+A.13.2.1
+
+[reference]:
+A.14.1.3
+
+[reference]:
+A.14.2.7
+
+[reference]:
+A.15.2.1
+
+[reference]:
+A.15.2.2
+
+[reference]:
+A.16.1.4
+
+[reference]:
+A.16.1.5
+
+[reference]:
+A.16.1.7
+
+[reference]:
+A.6.2.1
+
+[reference]:
+A.6.2.2
+
+[reference]:
+CIP-004-6 R3.3
+
+[reference]:
+CIP-007-3 R6.5
+
+[reference]:
+AC-2(g)
+
+[reference]:
+AU-3
+
+[reference]:
+AU-10
+
+[reference]:
+AU-2(d)
+
+[reference]:
+AU-12(c)
+
+[reference]:
+AU-14(1)
+
+[reference]:
+AC-6(9)
+
+[reference]:
+CM-6(a)
+
+[reference]:
+SI-4(23)
+
+[reference]:
+DE.AE-3
+
+[reference]:
+DE.AE-5
+
+[reference]:
+DE.CM-1
+
+[reference]:
+DE.CM-3
+
+[reference]:
+DE.CM-7
+
+[reference]:
+ID.SC-4
+
+[reference]:
+PR.AC-3
+
+[reference]:
+PR.PT-1
+
+[reference]:
+PR.PT-4
+
+[reference]:
+RS.AN-1
+
+[reference]:
+RS.AN-4
+
+[reference]:
+FAU_GEN.1
+
+[reference]:
+Req-10.1
+
+[reference]:
+10.2.1
+
+[reference]:
+SRG-OS-000062-GPOS-00031
+
+[reference]:
+SRG-OS-000037-GPOS-00015
+
+[reference]:
+SRG-OS-000038-GPOS-00016
+
+[reference]:
+SRG-OS-000039-GPOS-00017
+
+[reference]:
+SRG-OS-000040-GPOS-00018
+
+[reference]:
+SRG-OS-000041-GPOS-00019
+
+[reference]:
+SRG-OS-000042-GPOS-00021
+
+[reference]:
+SRG-OS-000051-GPOS-00024
+
+[reference]:
+SRG-OS-000054-GPOS-00025
+
+[reference]:
+SRG-OS-000122-GPOS-00063
+
+[reference]:
+SRG-OS-000254-GPOS-00095
+
+[reference]:
+SRG-OS-000255-GPOS-00096
+
+[reference]:
+SRG-OS-000337-GPOS-00129
+
+[reference]:
+SRG-OS-000348-GPOS-00136
+
+[reference]:
+SRG-OS-000349-GPOS-00137
+
+[reference]:
+SRG-OS-000350-GPOS-00138
+
+[reference]:
+SRG-OS-000351-GPOS-00139
+
+[reference]:
+SRG-OS-000352-GPOS-00140
+
+[reference]:
+SRG-OS-000353-GPOS-00141
+
+[reference]:
+SRG-OS-000354-GPOS-00142
+
+[reference]:
+SRG-OS-000358-GPOS-00145
+
+[reference]:
+SRG-OS-000365-GPOS-00152
+
+[reference]:
+SRG-OS-000392-GPOS-00172
+
+[reference]:
+SRG-OS-000475-GPOS-00220
+
+[reference]:
+SRG-APP-000095-CTR-000170
+
+[reference]:
+SRG-APP-000409-CTR-000990
+
+[reference]:
+SRG-APP-000508-CTR-001300
+
+[reference]:
+SRG-APP-000510-CTR-001310
+
+[reference]:
+RHEL-08-030181
+
+[reference]:
+SV-244542r818838_rule
+
+[reference]:
BP28(R33)
[reference]:
BP28(R73)
-
-[reference]:
-1
-
-[reference]:
-11
-
-[reference]:
-12
-
-[reference]:
-13
-
-[reference]:
-14
-
-[reference]:
-15
-
-[reference]:
-16
-
-[reference]:
-19
-
-[reference]:
-2
-
-[reference]:
-3
-
-[reference]:
-4
-
-[reference]:
-5
-
-[reference]:
-6
-
-[reference]:
-7
-
-[reference]:
-8
-
-[reference]:
-9
-
-[reference]:
-5.4.1.1
-
-[reference]:
-APO10.01
-
-[reference]:
-APO10.03
-
-[reference]:
-APO10.04
-
-[reference]:
-APO10.05
-
-[reference]:
-APO11.04
-
-[reference]:
-APO12.06
-
-[reference]:
-APO13.01
-
-[reference]:
-BAI03.05
-
-[reference]:
-BAI08.02
-
-[reference]:
-DSS01.03
-
-[reference]:
-DSS01.04
-
-[reference]:
-DSS02.02
-
-[reference]:
-DSS02.04
-
-[reference]:
-DSS02.07
-
-[reference]:
-DSS03.01
-
-[reference]:
-DSS03.05
-
-[reference]:
-DSS05.02
-
-[reference]:
-DSS05.03
-
-[reference]:
-DSS05.04
-
-[reference]:
-DSS05.05
-
-[reference]:
-DSS05.07
-
-[reference]:
-MEA01.01
-
-[reference]:
-MEA01.02
-
-[reference]:
-MEA01.03
-
-[reference]:
-MEA01.04
-
-[reference]:
-MEA01.05
-
-[reference]:
-MEA02.01
-
-[reference]:
-3.3.1
-
-[reference]:
-3.3.2
-
-[reference]:
-3.3.6
-
-[reference]:
-CCI-000126
-
-[reference]:
-CCI-000130
-
-[reference]:
-CCI-000131
-
-[reference]:
-CCI-000132
-
-[reference]:
-CCI-000133
-
-[reference]:
-CCI-000134
-
-[reference]:
-CCI-000135
-
-[reference]:
-CCI-000154
-
-[reference]:
-CCI-000158
-
-[reference]:
-CCI-000172
-
-[reference]:
-CCI-000366
-
-[reference]:
-CCI-001464
-
-[reference]:
-CCI-001487
-
-[reference]:
-CCI-001814
-
-[reference]:
-CCI-001875
-
-[reference]:
-CCI-001876
-
-[reference]:
-CCI-001877
-
-[reference]:
-CCI-002884
-
-[reference]:
-CCI-001878
-
-[reference]:
-CCI-001879
-
-[reference]:
-CCI-001880
-
-[reference]:
-CCI-001881
-
-[reference]:
-CCI-001882
-
-[reference]:
-CCI-001889
-
-[reference]:
-CCI-001914
-
-[reference]:
-CCI-000169
-
-[reference]:
-164.308(a)(1)(ii)(D)
-
-[reference]:
-164.308(a)(5)(ii)(C)
-
-[reference]:
-164.310(a)(2)(iv)
-
-[reference]:
-164.310(d)(2)(iii)
-
-[reference]:
-164.312(b)
-
-[reference]:
-4.2.3.10
-
-[reference]:
-4.3.2.6.7
-
-[reference]:
-4.3.3.3.9
-
-[reference]:
-4.3.3.5.8
-
-[reference]:
-4.3.3.6.6
-
-[reference]:
-4.3.4.4.7
-
-[reference]:
-4.3.4.5.6
-
-[reference]:
-4.3.4.5.7
-
-[reference]:
-4.3.4.5.8
-
-[reference]:
-4.4.2.1
-
-[reference]:
-4.4.2.2
-
-[reference]:
-4.4.2.4
-
-[reference]:
-SR 1.13
-
-[reference]:
-SR 2.10
-
-[reference]:
-SR 2.11
-
-[reference]:
-SR 2.12
-
-[reference]:
-SR 2.6
-
-[reference]:
-SR 2.8
-
-[reference]:
-SR 2.9
-
-[reference]:
-SR 3.1
-
-[reference]:
-SR 3.5
-
-[reference]:
-SR 3.8
-
-[reference]:
-SR 4.1
-
-[reference]:
-SR 4.3
-
-[reference]:
-SR 5.1
-
-[reference]:
-SR 5.2
-
-[reference]:
-SR 5.3
-
-[reference]:
-SR 6.1
-
-[reference]:
-SR 6.2
-
-[reference]:
-SR 7.1
-
-[reference]:
-SR 7.6
-
-[reference]:
-A.11.2.6
-
-[reference]:
-A.12.4.1
-
-[reference]:
-A.12.4.2
-
-[reference]:
-A.12.4.3
-
-[reference]:
-A.12.4.4
-
-[reference]:
-A.12.7.1
-
-[reference]:
-A.13.1.1
-
-[reference]:
-A.13.2.1
-
-[reference]:
-A.14.1.3
-
-[reference]:
-A.14.2.7
-
-[reference]:
-A.15.2.1
-
-[reference]:
-A.15.2.2
-
-[reference]:
-A.16.1.4
-
-[reference]:
-A.16.1.5
-
-[reference]:
-A.16.1.7
-
-[reference]:
-A.6.2.1
-
-[reference]:
-A.6.2.2
-
-[reference]:
-CIP-004-6 R3.3
-
-[reference]:
-CIP-007-3 R6.5
-
-[reference]:
-AC-2(g)
-
-[reference]:
-AU-3
-
-[reference]:
-AU-10
-
-[reference]:
-AU-2(d)
-
-[reference]:
-AU-12(c)
-
-[reference]:
-AU-14(1)
-
-[reference]:
-AC-6(9)
-
-[reference]:
-CM-6(a)
-
-[reference]:
-SI-4(23)
-
-[reference]:
-DE.AE-3
-
-[reference]:
-DE.AE-5
-
-[reference]:
-DE.CM-1
-
-[reference]:
-DE.CM-3
-
-[reference]:
-DE.CM-7
-
-[reference]:
-ID.SC-4
-
-[reference]:
-PR.AC-3
-
-[reference]:
-PR.PT-1
-
-[reference]:
-PR.PT-4
-
-[reference]:
-RS.AN-1
-
-[reference]:
-RS.AN-4
-
-[reference]:
-FAU_GEN.1
-
-[reference]:
-Req-10.1
-
-[reference]:
-10.2.1
-
-[reference]:
-SRG-OS-000062-GPOS-00031
-
-[reference]:
-SRG-OS-000037-GPOS-00015
-
-[reference]:
-SRG-OS-000038-GPOS-00016
-
-[reference]:
-SRG-OS-000039-GPOS-00017
-
-[reference]:
-SRG-OS-000040-GPOS-00018
-
-[reference]:
-SRG-OS-000041-GPOS-00019
-
-[reference]:
-SRG-OS-000042-GPOS-00021
-
-[reference]:
-SRG-OS-000051-GPOS-00024
-
-[reference]:
-SRG-OS-000054-GPOS-00025
-
-[reference]:
-SRG-OS-000122-GPOS-00063
-
-[reference]:
-SRG-OS-000254-GPOS-00095
-
-[reference]:
-SRG-OS-000255-GPOS-00096
-
-[reference]:
-SRG-OS-000337-GPOS-00129
-
-[reference]:
-SRG-OS-000348-GPOS-00136
-
-[reference]:
-SRG-OS-000349-GPOS-00137
-
-[reference]:
-SRG-OS-000350-GPOS-00138
-
-[reference]:
-SRG-OS-000351-GPOS-00139
-
-[reference]:
-SRG-OS-000352-GPOS-00140
-
-[reference]:
-SRG-OS-000353-GPOS-00141
-
-[reference]:
-SRG-OS-000354-GPOS-00142
-
-[reference]:
-SRG-OS-000358-GPOS-00145
-
-[reference]:
-SRG-OS-000365-GPOS-00152
-
-[reference]:
-SRG-OS-000392-GPOS-00172
-
-[reference]:
-SRG-OS-000475-GPOS-00220
-
-[reference]:
-SRG-APP-000095-CTR-000170
-
-[reference]:
-SRG-APP-000409-CTR-000990
-
-[reference]:
-SRG-APP-000508-CTR-001300
-
-[reference]:
-SRG-APP-000510-CTR-001310
-
-[reference]:
-RHEL-08-030181
-
-[reference]:
-SV-244542r818838_rule
[reference]:
5.2.1.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable'.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -17,379 +17,379 @@
With this setting, a reboot will be required to change any audit rules.
[reference]:
+1
+
+[reference]:
+11
+
+[reference]:
+12
+
+[reference]:
+13
+
+[reference]:
+14
+
+[reference]:
+15
+
+[reference]:
+16
+
+[reference]:
+18
+
+[reference]:
+19
+
+[reference]:
+3
+
+[reference]:
+4
+
+[reference]:
+5
+
+[reference]:
+6
+
+[reference]:
+7
+
+[reference]:
+8
+
+[reference]:
+5.4.1.1
+
+[reference]:
+APO01.06
+
+[reference]:
+APO10.01
+
+[reference]:
+APO10.03
+
+[reference]:
+APO10.04
+
+[reference]:
+APO10.05
+
+[reference]:
+APO11.04
+
+[reference]:
+APO12.06
+
+[reference]:
+BAI03.05
+
+[reference]:
+BAI08.02
+
+[reference]:
+DSS02.02
+
+[reference]:
+DSS02.04
+
+[reference]:
+DSS02.07
+
+[reference]:
+DSS03.01
+
+[reference]:
+DSS05.04
+
+[reference]:
+DSS05.07
+
+[reference]:
+DSS06.02
+
+[reference]:
+MEA01.01
+
+[reference]:
+MEA01.02
+
+[reference]:
+MEA01.03
+
+[reference]:
+MEA01.04
+
+[reference]:
+MEA01.05
+
+[reference]:
+MEA02.01
+
+[reference]:
+3.3.1
+
+[reference]:
+3.4.3
+
+[reference]:
+CCI-000162
+
+[reference]:
+CCI-000163
+
+[reference]:
+CCI-000164
+
+[reference]:
+164.308(a)(1)(ii)(D)
+
+[reference]:
+164.308(a)(3)(ii)(A)
+
+[reference]:
+164.308(a)(5)(ii)(C)
+
+[reference]:
+164.312(a)(2)(i)
+
+[reference]:
+164.310(a)(2)(iv)
+
+[reference]:
+164.312(d)
+
+[reference]:
+164.310(d)(2)(iii)
+
+[reference]:
+164.312(b)
+
+[reference]:
+164.312(e)
+
+[reference]:
+4.2.3.10
+
+[reference]:
+4.3.2.6.7
+
+[reference]:
+4.3.3.3.9
+
+[reference]:
+4.3.3.5.8
+
+[reference]:
+4.3.3.7.3
+
+[reference]:
+4.3.4.4.7
+
+[reference]:
+4.3.4.5.6
+
+[reference]:
+4.3.4.5.7
+
+[reference]:
+4.3.4.5.8
+
+[reference]:
+4.4.2.1
+
+[reference]:
+4.4.2.2
+
+[reference]:
+4.4.2.4
+
+[reference]:
+SR 2.1
+
+[reference]:
+SR 2.10
+
+[reference]:
+SR 2.11
+
+[reference]:
+SR 2.12
+
+[reference]:
+SR 2.8
+
+[reference]:
+SR 2.9
+
+[reference]:
+SR 5.2
+
+[reference]:
+SR 6.1
+
+[reference]:
+A.10.1.1
+
+[reference]:
+A.11.1.4
+
+[reference]:
+A.11.1.5
+
+[reference]:
+A.11.2.1
+
+[reference]:
+A.12.4.1
+
+[reference]:
+A.12.4.2
+
+[reference]:
+A.12.4.3
+
+[reference]:
+A.12.4.4
+
+[reference]:
+A.12.7.1
+
+[reference]:
+A.13.1.1
+
+[reference]:
+A.13.1.3
+
+[reference]:
+A.13.2.1
+
+[reference]:
+A.13.2.3
+
+[reference]:
+A.13.2.4
+
+[reference]:
+A.14.1.2
+
+[reference]:
+A.14.1.3
+
+[reference]:
+A.15.2.1
+
+[reference]:
+A.15.2.2
+
+[reference]:
+A.16.1.4
+
+[reference]:
+A.16.1.5
+
+[reference]:
+A.16.1.7
+
+[reference]:
+A.6.1.2
+
+[reference]:
+A.7.1.1
+
+[reference]:
+A.7.1.2
+
+[reference]:
+A.7.3.1
+
+[reference]:
+A.8.2.2
+
+[reference]:
+A.8.2.3
+
+[reference]:
+A.9.1.1
+
+[reference]:
+A.9.1.2
+
+[reference]:
+A.9.2.3
+
+[reference]:
+A.9.4.1
+
+[reference]:
+A.9.4.4
+
+[reference]:
+A.9.4.5
+
+[reference]:
+AC-6(9)
+
+[reference]:
+CM-6(a)
+
+[reference]:
+DE.AE-3
+
+[reference]:
+DE.AE-5
+
+[reference]:
+ID.SC-4
+
+[reference]:
+PR.AC-4
+
+[reference]:
+PR.DS-5
+
+[reference]:
+PR.PT-1
+
+[reference]:
+RS.AN-1
+
+[reference]:
+RS.AN-4
+
+[reference]:
+Req-10.5.2
+
+[reference]:
+10.3.2
+
+[reference]:
+SRG-OS-000057-GPOS-00027
+
+[reference]:
+SRG-OS-000058-GPOS-00028
+
+[reference]:
+SRG-OS-000059-GPOS-00029
+
+[reference]:
+SRG-APP-000119-CTR-000245
+
+[reference]:
+SRG-APP-000120-CTR-000250
+
+[reference]:
+RHEL-08-030121
+
+[reference]:
+SV-230402r627750_rule
+
+[reference]:
BP28(R73)
-
-[reference]:
-1
-
-[reference]:
-11
-
-[reference]:
-12
-
-[reference]:
-13
-
-[reference]:
-14
-
-[reference]:
-15
-
-[reference]:
-16
-
-[reference]:
-18
-
-[reference]:
-19
-
-[reference]:
-3
-
-[reference]:
-4
-
-[reference]:
-5
-
-[reference]:
-6
-
-[reference]:
-7
-
-[reference]:
-8
-
-[reference]:
-5.4.1.1
-
-[reference]:
-APO01.06
-
-[reference]:
-APO10.01
-
-[reference]:
-APO10.03
-
-[reference]:
-APO10.04
-
-[reference]:
-APO10.05
-
-[reference]:
-APO11.04
-
-[reference]:
-APO12.06
-
-[reference]:
-BAI03.05
-
-[reference]:
-BAI08.02
-
-[reference]:
-DSS02.02
-
-[reference]:
-DSS02.04
-
-[reference]:
-DSS02.07
-
-[reference]:
-DSS03.01
-
-[reference]:
-DSS05.04
-
-[reference]:
-DSS05.07
-
-[reference]:
-DSS06.02
-
-[reference]:
-MEA01.01
-
-[reference]:
-MEA01.02
-
-[reference]:
-MEA01.03
-
-[reference]:
-MEA01.04
-
-[reference]:
-MEA01.05
-
-[reference]:
-MEA02.01
-
-[reference]:
-3.3.1
-
-[reference]:
-3.4.3
-
-[reference]:
-CCI-000162
-
-[reference]:
-CCI-000163
-
-[reference]:
-CCI-000164
-
-[reference]:
-164.308(a)(1)(ii)(D)
-
-[reference]:
-164.308(a)(3)(ii)(A)
-
-[reference]:
-164.308(a)(5)(ii)(C)
-
-[reference]:
-164.312(a)(2)(i)
-
-[reference]:
-164.310(a)(2)(iv)
-
-[reference]:
-164.312(d)
-
-[reference]:
-164.310(d)(2)(iii)
-
-[reference]:
-164.312(b)
-
-[reference]:
-164.312(e)
-
-[reference]:
-4.2.3.10
-
-[reference]:
-4.3.2.6.7
-
-[reference]:
-4.3.3.3.9
-
-[reference]:
-4.3.3.5.8
-
-[reference]:
-4.3.3.7.3
-
-[reference]:
-4.3.4.4.7
-
-[reference]:
-4.3.4.5.6
-
-[reference]:
-4.3.4.5.7
-
-[reference]:
-4.3.4.5.8
-
-[reference]:
-4.4.2.1
-
-[reference]:
-4.4.2.2
-
-[reference]:
-4.4.2.4
-
-[reference]:
-SR 2.1
-
-[reference]:
-SR 2.10
-
-[reference]:
-SR 2.11
-
-[reference]:
-SR 2.12
-
-[reference]:
-SR 2.8
-
-[reference]:
-SR 2.9
-
-[reference]:
-SR 5.2
-
-[reference]:
-SR 6.1
-
-[reference]:
-A.10.1.1
-
-[reference]:
-A.11.1.4
-
-[reference]:
-A.11.1.5
-
-[reference]:
-A.11.2.1
-
-[reference]:
-A.12.4.1
-
-[reference]:
-A.12.4.2
-
-[reference]:
-A.12.4.3
-
-[reference]:
-A.12.4.4
-
-[reference]:
-A.12.7.1
-
-[reference]:
-A.13.1.1
-
-[reference]:
-A.13.1.3
-
-[reference]:
-A.13.2.1
-
-[reference]:
-A.13.2.3
-
-[reference]:
-A.13.2.4
-
-[reference]:
-A.14.1.2
-
-[reference]:
-A.14.1.3
-
-[reference]:
-A.15.2.1
-
-[reference]:
-A.15.2.2
-
-[reference]:
-A.16.1.4
-
-[reference]:
-A.16.1.5
-
-[reference]:
-A.16.1.7
-
-[reference]:
-A.6.1.2
-
-[reference]:
-A.7.1.1
-
-[reference]:
-A.7.1.2
-
-[reference]:
-A.7.3.1
-
-[reference]:
-A.8.2.2
-
-[reference]:
-A.8.2.3
-
-[reference]:
-A.9.1.1
-
-[reference]:
-A.9.1.2
-
-[reference]:
-A.9.2.3
-
-[reference]:
-A.9.4.1
-
-[reference]:
-A.9.4.4
-
-[reference]:
-A.9.4.5
-
-[reference]:
-AC-6(9)
-
-[reference]:
-CM-6(a)
-
-[reference]:
-DE.AE-3
-
-[reference]:
-DE.AE-5
-
-[reference]:
-ID.SC-4
-
-[reference]:
-PR.AC-4
-
-[reference]:
-PR.DS-5
-
-[reference]:
-PR.PT-1
-
-[reference]:
-RS.AN-1
-
-[reference]:
-RS.AN-4
-
-[reference]:
-Req-10.5.2
-
-[reference]:
-10.3.2
-
-[reference]:
-SRG-OS-000057-GPOS-00027
-
-[reference]:
-SRG-OS-000058-GPOS-00028
-
-[reference]:
-SRG-OS-000059-GPOS-00029
-
-[reference]:
-SRG-APP-000119-CTR-000245
-
-[reference]:
-SRG-APP-000120-CTR-000250
-
-[reference]:
-RHEL-08-030121
-
-[reference]:
-SV-230402r627750_rule
[reference]:
5.2.3.20
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification'.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -14,358 +14,358 @@
-w /etc/selinux/ -p wa -k MAC-policy
[reference]:
+1
+
+[reference]:
+11
+
+[reference]:
+12
+
+[reference]:
+13
+
+[reference]:
+14
+
+[reference]:
+15
+
+[reference]:
+16
+
+[reference]:
+19
+
+[reference]:
+2
+
+[reference]:
+3
+
+[reference]:
+4
+
+[reference]:
+5
+
+[reference]:
+6
+
+[reference]:
+7
+
+[reference]:
+8
+
+[reference]:
+9
+
+[reference]:
+5.4.1.1
+
+[reference]:
+APO10.01
+
+[reference]:
+APO10.03
+
+[reference]:
+APO10.04
+
+[reference]:
+APO10.05
+
+[reference]:
+APO11.04
+
+[reference]:
+APO12.06
+
+[reference]:
+APO13.01
+
+[reference]:
+BAI03.05
+
+[reference]:
+BAI08.02
+
+[reference]:
+DSS01.03
+
+[reference]:
+DSS01.04
+
+[reference]:
+DSS02.02
+
+[reference]:
+DSS02.04
+
+[reference]:
+DSS02.07
+
+[reference]:
+DSS03.01
+
+[reference]:
+DSS03.05
+
+[reference]:
+DSS05.02
+
+[reference]:
+DSS05.03
+
+[reference]:
+DSS05.04
+
+[reference]:
+DSS05.05
+
+[reference]:
+DSS05.07
+
+[reference]:
+MEA01.01
+
+[reference]:
+MEA01.02
+
+[reference]:
+MEA01.03
+
+[reference]:
+MEA01.04
+
+[reference]:
+MEA01.05
+
+[reference]:
+MEA02.01
+
+[reference]:
+3.1.8
+
+[reference]:
+164.308(a)(1)(ii)(D)
+
+[reference]:
+164.308(a)(3)(ii)(A)
+
+[reference]:
+164.308(a)(5)(ii)(C)
+
+[reference]:
+164.312(a)(2)(i)
+
+[reference]:
+164.312(b)
+
+[reference]:
+164.312(d)
+
+[reference]:
+164.312(e)
+
+[reference]:
+4.2.3.10
+
+[reference]:
+4.3.2.6.7
+
+[reference]:
+4.3.3.3.9
+
+[reference]:
+4.3.3.5.8
+
+[reference]:
+4.3.3.6.6
+
+[reference]:
+4.3.4.4.7
+
+[reference]:
+4.3.4.5.6
+
+[reference]:
+4.3.4.5.7
+
+[reference]:
+4.3.4.5.8
+
+[reference]:
+4.4.2.1
+
+[reference]:
+4.4.2.2
+
+[reference]:
+4.4.2.4
+
+[reference]:
+SR 1.13
+
+[reference]:
+SR 2.10
+
+[reference]:
+SR 2.11
+
+[reference]:
+SR 2.12
+
+[reference]:
+SR 2.6
+
+[reference]:
+SR 2.8
+
+[reference]:
+SR 2.9
+
+[reference]:
+SR 3.1
+
+[reference]:
+SR 3.5
+
+[reference]:
+SR 3.8
+
+[reference]:
+SR 4.1
+
+[reference]:
+SR 4.3
+
+[reference]:
+SR 5.1
+
+[reference]:
+SR 5.2
+
+[reference]:
+SR 5.3
+
+[reference]:
+SR 6.1
+
+[reference]:
+SR 6.2
+
+[reference]:
+SR 7.1
+
+[reference]:
+SR 7.6
+
+[reference]:
+A.11.2.6
+
+[reference]:
+A.12.4.1
+
+[reference]:
+A.12.4.2
+
+[reference]:
+A.12.4.3
+
+[reference]:
+A.12.4.4
+
+[reference]:
+A.12.7.1
+
+[reference]:
+A.13.1.1
+
+[reference]:
+A.13.2.1
+
+[reference]:
+A.14.1.3
+
+[reference]:
+A.14.2.7
+
+[reference]:
+A.15.2.1
+
+[reference]:
+A.15.2.2
+
+[reference]:
+A.16.1.4
+
+[reference]:
+A.16.1.5
+
+[reference]:
+A.16.1.7
+
+[reference]:
+A.6.2.1
+
+[reference]:
+A.6.2.2
+
+[reference]:
+AU-2(d)
+
+[reference]:
+AU-12(c)
+
+[reference]:
+CM-6(a)
+
+[reference]:
+DE.AE-3
+
+[reference]:
+DE.AE-5
+
+[reference]:
+DE.CM-1
+
+[reference]:
+DE.CM-3
+
+[reference]:
+DE.CM-7
+
+[reference]:
+ID.SC-4
+
+[reference]:
+PR.AC-3
+
+[reference]:
+PR.PT-1
+
+[reference]:
+PR.PT-4
+
+[reference]:
+RS.AN-1
+
+[reference]:
+RS.AN-4
+
+[reference]:
+FAU_GEN.1.1.c
+
+[reference]:
+Req-10.5.5
+
+[reference]:
+10.3.4
+
+[reference]:
BP28(R73)
-
-[reference]:
-1
-
-[reference]:
-11
-
-[reference]:
-12
-
-[reference]:
-13
-
-[reference]:
-14
-
-[reference]:
-15
-
-[reference]:
-16
-
-[reference]:
-19
-
-[reference]:
-2
-
-[reference]:
-3
-
-[reference]:
-4
-
-[reference]:
-5
-
-[reference]:
-6
-
-[reference]:
-7
-
-[reference]:
-8
-
-[reference]:
-9
-
-[reference]:
-5.4.1.1
-
-[reference]:
-APO10.01
-
-[reference]:
-APO10.03
-
-[reference]:
-APO10.04
-
-[reference]:
-APO10.05
-
-[reference]:
-APO11.04
-
-[reference]:
-APO12.06
-
-[reference]:
-APO13.01
-
-[reference]:
-BAI03.05
-
-[reference]:
-BAI08.02
-
-[reference]:
-DSS01.03
-
-[reference]:
-DSS01.04
-
-[reference]:
-DSS02.02
-
-[reference]:
-DSS02.04
-
-[reference]:
-DSS02.07
-
-[reference]:
-DSS03.01
-
-[reference]:
-DSS03.05
-
-[reference]:
-DSS05.02
-
-[reference]:
-DSS05.03
-
-[reference]:
-DSS05.04
-
-[reference]:
-DSS05.05
-
-[reference]:
-DSS05.07
-
-[reference]:
-MEA01.01
-
-[reference]:
-MEA01.02
-
-[reference]:
-MEA01.03
-
-[reference]:
-MEA01.04
-
-[reference]:
-MEA01.05
-
-[reference]:
-MEA02.01
-
-[reference]:
-3.1.8
-
-[reference]:
-164.308(a)(1)(ii)(D)
-
-[reference]:
-164.308(a)(3)(ii)(A)
-
-[reference]:
-164.308(a)(5)(ii)(C)
-
-[reference]:
-164.312(a)(2)(i)
-
-[reference]:
-164.312(b)
-
-[reference]:
-164.312(d)
-
-[reference]:
-164.312(e)
-
-[reference]:
-4.2.3.10
-
-[reference]:
-4.3.2.6.7
-
-[reference]:
-4.3.3.3.9
-
-[reference]:
-4.3.3.5.8
-
-[reference]:
-4.3.3.6.6
-
-[reference]:
-4.3.4.4.7
-
-[reference]:
-4.3.4.5.6
-
-[reference]:
-4.3.4.5.7
-
-[reference]:
-4.3.4.5.8
-
-[reference]:
-4.4.2.1
-
-[reference]:
-4.4.2.2
-
-[reference]:
-4.4.2.4
-
-[reference]:
-SR 1.13
-
-[reference]:
-SR 2.10
-
-[reference]:
-SR 2.11
-
-[reference]:
-SR 2.12
-
-[reference]:
-SR 2.6
-
-[reference]:
-SR 2.8
-
-[reference]:
-SR 2.9
-
-[reference]:
-SR 3.1
-
-[reference]:
-SR 3.5
-
-[reference]:
-SR 3.8
-
-[reference]:
-SR 4.1
-
-[reference]:
-SR 4.3
-
-[reference]:
-SR 5.1
-
-[reference]:
-SR 5.2
-
-[reference]:
-SR 5.3
-
-[reference]:
-SR 6.1
-
-[reference]:
-SR 6.2
-
-[reference]:
-SR 7.1
-
-[reference]:
-SR 7.6
-
-[reference]:
-A.11.2.6
-
-[reference]:
-A.12.4.1
-
-[reference]:
-A.12.4.2
-
-[reference]:
-A.12.4.3
-
-[reference]:
-A.12.4.4
-
-[reference]:
-A.12.7.1
-
-[reference]:
-A.13.1.1
-
-[reference]:
-A.13.2.1
-
-[reference]:
-A.14.1.3
-
-[reference]:
-A.14.2.7
-
-[reference]:
-A.15.2.1
-
-[reference]:
-A.15.2.2
-
-[reference]:
-A.16.1.4
-
-[reference]:
-A.16.1.5
-
-[reference]:
-A.16.1.7
-
-[reference]:
-A.6.2.1
-
-[reference]:
-A.6.2.2
-
-[reference]:
-AU-2(d)
-
-[reference]:
-AU-12(c)
-
-[reference]:
-CM-6(a)
-
-[reference]:
-DE.AE-3
-
-[reference]:
-DE.AE-5
-
-[reference]:
-DE.CM-1
-
-[reference]:
-DE.CM-3
-
-[reference]:
-DE.CM-7
-
-[reference]:
-ID.SC-4
-
-[reference]:
-PR.AC-3
-
-[reference]:
-PR.PT-1
-
-[reference]:
-PR.PT-4
-
-[reference]:
-RS.AN-1
-
-[reference]:
-RS.AN-4
-
-[reference]:
-FAU_GEN.1.1.c
-
-[reference]:
-Req-10.5.5
-
-[reference]:
-10.3.4
[reference]:
5.2.3.14
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export'.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -17,400 +17,400 @@
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
[reference]:
+1
+
+[reference]:
+11
+
+[reference]:
+12
+
+[reference]:
+13
+
+[reference]:
+14
+
+[reference]:
+15
+
+[reference]:
+16
+
+[reference]:
+19
+
+[reference]:
+2
+
+[reference]:
+3
+
+[reference]:
+4
+
+[reference]:
+5
+
+[reference]:
+6
+
+[reference]:
+7
+
+[reference]:
+8
+
+[reference]:
+9
+
+[reference]:
+5.4.1.1
+
+[reference]:
+APO10.01
+
+[reference]:
+APO10.03
+
+[reference]:
+APO10.04
+
+[reference]:
+APO10.05
+
+[reference]:
+APO11.04
+
+[reference]:
+APO12.06
+
+[reference]:
+APO13.01
+
+[reference]:
+BAI03.05
+
+[reference]:
+
... The diff is trimmed here ... |
|
Code Climate has analyzed commit e02ccf8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.4% (0.0% change). View more on Code Climate. |
|
There is references like |
|
Thanks, I originally thought that it's a typo but it occurs multiple times there. I have found that there existed "Note technique DAT-NT-012" which is a guide on logging. It seems to be replaced by this document now: https://cyber.gouv.fr/sites/default/files/2022/01/anssi-guide-recommandations_securite_architecture_systeme_journalisation.pdf That is a problem because that means that these references point out to a different document than the control file which points to ANSSI BP028: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf So I think that for these references we should introduce a new reference type. However, if these references lead to an outdated document we shouldn't keep them there and instead add references to the new document. What do you think? |
|
And also I have just found that there is also inconsistency with the URL in the control files and the URL in the |
I'm okay with removing those, but we should add them back under a new key and different PR. |
Mab879
approved these changes
Feb 7, 2024
Mab879
added
the
Update Profile
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The references to ANSSI will be automatically added to rules during the build based on the data in
controls/anssi.yml.